I work in an environment where it has traditionally been a policy to not allow HTTP/HTTPS from the DMZ to the internal network (even when it is clamped down to a specific source and destination IP). I understand the thinking behind this. HTTP(S) is very common avenue of exploitation, therefore if possible, one should try to avoid allowing it from less-trusted to more-trusted networks, whenever possible.
That being said, it seems like a lot of vendors, even security vendors, are designing their products such that front-end components need to communicate with back-end components using HTTP(S), so I am wondering how it is typically handled. Do most companies/organizations not even adhere to this policy at all, or do they just create exceptions on an as-needed basis? I would love to hear some of your thoughts on how you all handle it?
May 16th 2016
10 months ago