reviewed expose_public_https_web_service

Exposing a public HTTPS web service from the Internet to the DMZ

This scenario covers exposing an HTTPS web server hosted in the DMZ and reachable from the Internet. It includes inbound SSL decryption (ssl_inbound_inspection) to enable L7 inspection of encrypted traffic, along with the DNS dependency rules required for the service to function. This scenario is particularly sensitive: the exposed server is a direct target for public-facing application exploitation, payload injection, and use of the service as a C2 relay. Full security profiles (antivirus, IPS, c2_protection, url_filtering, file_control, sandboxing) are mandatory on the main allow rule.

Schema:: 1.0.0
Versão:: 1.0.0
Autores:: NeuralWall Rules Team (NeuralWall)

Confiança e atestações

Trust tierreviewed

Carregando informações de confiança…

community

reviewed

verified

Next tier: verified

Pré-visualização {} Machine JSON AI AI/RAG Markdown ~ Source YAML RAG [fr]

Modelo de ameaça

Resumo

A web service directly exposed to the Internet represents the widest attack surface of a perimeter. The attacker attempts to exploit an application vulnerability (public CVE, injection, misconfiguration) to gain initial access on the DMZ, then move laterally toward the internal network. Without inbound SSL decryption, L7 inspection is blind: antivirus, IPS, and sandboxing see only an opaque stream. With ssl_inbound_inspection, the stream is re-encrypted toward the server after inspection — the server certificate must be imported into the firewall.

Objetivo do atacante

Gain initial access on the DMZ server by exploiting the public HTTPS service, drop a payload or implant, then establish an outbound C2 channel or pivot into the internal network (privilege escalation, lateral movement).

Controles principais

ssl_inbound_inspectionipsantivirussandboxingc2_protectionfile_controldns_security

MITRE ATT&CK

Técnica	Nome	Tática
T1190	Exploit Public-Facing Application	initial-access
T1071.001	Application Layer Protocol: Web Protocols	command-and-control
T1105	Ingress Tool Transfer	command-and-control
T1059	Command and Scripting Interpreter	execution

Regras

#	App ID	Ação	Direção	Zonas	Risco	Perfis de segurança	Decriptação
0	web_browsing	allow	inbound	internet → dmz	4	antivirus, c2_protection, file_control, ips, sandboxing, url_filtering	ssl_inbound_inspection
1	dns	allow	internal	dmz → internal	2	dns_security	none
2	any_application	drop	outbound	dmz → internet	5	—	—

Detalhes da regra

Regra 0 — `web_browsing` (allow)

Justificativa

This rule allows inbound HTTPS traffic from the Internet to the DMZ web server. The ssl_inbound_inspection decryption mode is enabled to allow L7 inspection: without it, antivirus, IPS, and sandboxing see an opaque stream and cannot detect exploits or payloads. Security profiles are all set to blocking mode (not just alert) because the attack surface is maximal on a public-facing service. Port 80 is included for HTTP→HTTPS redirection; a server-side redirect rule is recommended in addition.

Aplicação

app_id:: web_browsing
category:: general_internet
risk:: 4
depends_on:: dns, ssl

Zonas

internet → dmz

direction: inbound

Perfis de segurança

antivirus: action=block c2_protection: action=block, min_severity=low file_control: block_types=pe+elf+script+encrypted_archive, direction=inbound ips: action=block, min_severity=medium sandboxing: enabled=true, file_types=pe+pdf+office+jar+script url_filtering: block_categories=malware+phishing+c2+newly_registered_domain+proxy_avoidance+hacking+compromised, uncategorized_action=block

Decriptação

mode=ssl_inbound_inspection

Registro

log_start: false

log_end: true

forwarding → siem_high_priority

Regra 1 — `dns` (allow)

Justificativa

DNS resolution is required for the DMZ web service to function properly (OCSP/CRL resolution for certificate validation, upstream dependencies, updates). The flow is restricted to a trusted internal resolver (not directly to the Internet) to prevent DNS rebinding and limit the exfiltration surface. The dns_security profile with sinkhole blocks DNS tunneling that could be used as a covert C2 channel from a compromised server. Decryption not applicable: standard DNS over UDP is not encrypted.

Aplicação

app_id:: dns
category:: networking
risk:: 2

Zonas

dmz → internal

direction: internal

Perfis de segurança

dns_security: action=block, sinkhole=true

Decriptação

mode=none

Registro

log_end: true

forwarding → siem_default

Regra 2 — `any_application` (drop)

Justificativa

Deny-by-default rule: any traffic initiated from the DMZ toward the Internet that is not explicitly covered by an allow rule above is silently dropped. This rule is critical to contain a compromised DMZ server and prevent the establishment of an outbound C2 channel (T1071.001) or data exfiltration. The 'any_application' app_id with 'unknown' category is justified here: this is a catch-all blocking rule, not an allow rule.

Aplicação

app_id:: any_application
category:: unknown
risk:: 5

Zonas

dmz → internet

direction: outbound

Registro

log_start: true

log_end: true

forwarding → siem_high_priority

Confiança e atestações

Modelo de ameaça

MITRE ATT&CK

Regras

Detalhes da regra

Regra 0 — web_browsing (allow)

Regra 1 — dns (allow)

Regra 2 — any_application (drop)

Uso e feedback

Regra 0 — `web_browsing` (allow)

Regra 1 — `dns` (allow)

Regra 2 — `any_application` (drop)