Security in the DMZ/Internal and Single Sign on?

Kathy Plamann May 22, 2015

Hi

I have a complicated question so I hope I can explain it clearly. I have a request from management to put JIRA, Confluence in the DMZ. We also want Stash and Bamboo linked to JIRA.. We would like to use CROWD for single sign on in the DMZ. Has anyone had to setup this type of configuration and if so what steps did you take to ensure a secure environment? Should we just have all these products internal? Stash and Bamboo, regardless of where they reside will need to access data internallyy–if they are put in the DMZ there would be holes in the firewall that could cause a breach in security.

Any input on ways that you have ensured a secure environment would be greatly appreciated.

Thanks

Kathy

3 answers

0 votes
rrudnicki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 22, 2015

Hi Kathy, 

 

Should we just have all these products internal? 

No, since Stash and Bamboo has source codes from the software that you are developing, I recommend you to keep this inside of your network. Just run applications into your DMZ if they don’t have confidential information. 

 

Also, the DMZ configuration will depends of your network architecture and if you are thinking to use two or three legged DMZ. 

 

I agree with Balazs that a Reverse proxy might be less painful and more useful on this case than a DMZ.

 

Regards, 

Renato Rudnicki

0 votes
Tim Crall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 22, 2015

sounds like you're going to have some holes in your firewall no matter how you do it. Not that that necessarily means it's not secure.

0 votes
Balázs Szakmáry
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 22, 2015

Instead of putting these servers in the DMZ and thus making them available on the internet, I would suggest to set up a reverse proxy to access these resources from the outside. This way there is only one contact point towards the internet and any security holes in Jira/Stash/Bamboo/whatever else are not directly available to exploit from the outside.

Suggest an answer

Log in or Sign up to answer