expose_public_https_web_service Exposing a public HTTPS web service from the Internet to the DMZ
This scenario covers exposing an HTTPS web server hosted in the DMZ and reachable from the Internet. It includes inbound SSL decryption (ssl_inbound_inspection) to enable L7 inspection of encrypted traffic, along with the DNS dependency rules required for the service to function. This scenario is particularly sensitive: the exposed server is a direct target for public-facing application exploitation, payload injection, and use of the service as a C2 relay. Full security profiles (antivirus, IPS, c2_protection, url_filtering, file_control, sandboxing) are mandatory on the main allow rule.
- Schema:
- 1.0.0
- 版本:
- 1.0.0
- 作者:
- NeuralWall Rules Team (NeuralWall)
信任与认证
Next tier: verified
威胁模型
ssl_inbound_inspectionipsantivirussandboxingc2_protectionfile_controldns_security MITRE ATT&CK
规则
| # | App ID | 动作 | 方向 | 区域 | 风险 | 安全配置 | 解密 |
|---|---|---|---|---|---|---|---|
| 0 | web_browsing | allow | inbound | internet → dmz | 4 | antivirus, c2_protection, file_control, ips, sandboxing, url_filtering | ssl_inbound_inspection |
| 1 | dns | allow | internal | dmz → internal | 2 | dns_security | none |
| 2 | any_application | drop | outbound | dmz → internet | 5 | — | — |
规则详情
规则 0 — web_browsing (allow)
依据
This rule allows inbound HTTPS traffic from the Internet to the DMZ web server. The ssl_inbound_inspection decryption mode is enabled to allow L7 inspection: without it, antivirus, IPS, and sandboxing see an opaque stream and cannot detect exploits or payloads. Security profiles are all set to blocking mode (not just alert) because the attack surface is maximal on a public-facing service. Port 80 is included for HTTP→HTTPS redirection; a server-side redirect rule is recommended in addition.
应用
- app_id:
- web_browsing
- category:
- general_internet
- risk:
- 4
- depends_on:
- dns, ssl
区域
internet → dmz
direction: inbound
安全配置
解密
mode=ssl_inbound_inspection
日志
规则 1 — dns (allow)
依据
DNS resolution is required for the DMZ web service to function properly (OCSP/CRL resolution for certificate validation, upstream dependencies, updates). The flow is restricted to a trusted internal resolver (not directly to the Internet) to prevent DNS rebinding and limit the exfiltration surface. The dns_security profile with sinkhole blocks DNS tunneling that could be used as a covert C2 channel from a compromised server. Decryption not applicable: standard DNS over UDP is not encrypted.
应用
- app_id:
- dns
- category:
- networking
- risk:
- 2
区域
dmz → internal
direction: internal
安全配置
解密
mode=none
日志
规则 2 — any_application (drop)
依据
Deny-by-default rule: any traffic initiated from the DMZ toward the Internet that is not explicitly covered by an allow rule above is silently dropped. This rule is critical to contain a compromised DMZ server and prevent the establishment of an outbound C2 channel (T1071.001) or data exfiltration. The 'any_application' app_id with 'unknown' category is justified here: this is a catch-all blocking rule, not an allow rule.
应用
- app_id:
- any_application
- category:
- unknown
- risk:
- 5
区域
dmz → internet
direction: outbound
日志