Suppose I\'m hosting a web server and a separate box offsite that crunches data.

Question

Suppose I'm hosting a web server and a separate box offsite that crunches data. The web server interacts with the worker using the worker's API over port 2888. What would be the design of a secure infrastructure be like?

I was thinking to have just 2 firewalls: one in front of the web server with port 80 open to the public and port 28888 (for the worker) open just to the worker's IP and one firewall in front of the worker with just 28888 open to the web server's IP. Would this be secured or would I need an VPN?

Thanks

Explanation / Answer

Whether a VPN is necessary in this scenario would largely depend on the nature of the traffic between the worker and the web server and whether you're worried about Man-In-The-Middle(MITM) attacks.

A VPN could add two potential benefits to your security here. Firstly it should encrypt the data between the endpoints. This is obviously a security benefit if the traffic between the two endpoints is unencrypted by default (e.g. over HTTP). However if the data is already encrypted, then there may be a limited benefit here.

The other benefit could be authentication of the endpoints. At the moment you're restricting by source IP address using a firewall, but there are always potential risks (over an untrusted network like the Internet) that someone could place themselves "between" the endpoints as a Man-In-The-Middle. A proprerly configured VPN should include authentication of the endpoints which should preclude this kind of attack. However it could be that the application traffic already handles this (e.g. HTTPS with trusted certificates) so the VPN might not add much.

So there are potential benefits, depending on the nature of the application traffic.

Related Questions

Navigate

• Browse (All)
• Browse S
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.