Is this an effective and secure network design?

By ohm.paul ·
I am in the process of separating our current Web/DB server to two servers, both running Windows Server 2008 Core. We have two Cisco ASA firewalls (one 5505, one 5510) to help with this task. My current plan for the network design went something like this:

5 port Switch -- Web Server (attached to switch)
ASA5510 (external interface attached to above switch) ---- DMZ (with DB Server)
LAN (internal workstations)

From this point, I would have a pinhole that allows access from the web server to the DB inside the 5510's DMZ, and a pinhole that would allow port 80,443 through the first ASA (5505) to get to the Web Server. All internal traffic would travel out through both firewalls as well.

The web server runs Apache/PHP on Windows Server Core 2008, and the DB Server runs MySQL on Windows Server Core 2008 (which is just a command line version of windows server).

Another option would be to have a switch connected to the internet, and just have both routers coming from that. Then the ASA5510 could house the Web(on DMZ) and DB on internal port. Then the ASA5505 would be a separate network, and would house the LAN alone.

Which of these options seems like the best solution keeping in mind that our LAN uses the website on the DMZ a lot?

Thank you for any input.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Tell me your joking please

by Wizard-09 In reply to Is this an effective and ...

Your asking if this is a secure network but yet your posting your network design on the web "Now ask yourself is it secure and should you really be in I.T"

I have seen it all now.

Collapse -

Not joking...

by ohm.paul In reply to Tell me your joking pleas ...

I dont see how posting a generic network structure yields anything that hurts security. It is no secret that networks are constructed with a firewall, then a web server, then another firewall then a LAN. Tell me how that is going to make it easier for you to break into my network...So you know that I'm using Windows, Apache, incredibly revealing...

Congratulations on being an A$$ for no reason.

Did I post IP addresses? No
Did I post Cisco configurations? No ...which is something you see quite frequently, so go get on someone else's case cause apparently you're more concerned with dequalifying others rather than qualifying yourself by offering any help whatsoever.

Collapse -

The second option

by RaymondJM4 In reply to Is this an effective and ...

The second option seems to be a bit cleaner than the first with less points of failure. As far as security goes, the LAN is secure, just make sure the code for you site is.

As long as your not including any more info than you have, you should be fine posting what you did.

Collapse -


by ohm.paul In reply to The second option

Thanks Raymond, i've been leaning towards the second design as well, I just have seen a lot of "corporate network designs" and diagrams online and a lot of them use something similar to the first design with one firewall behind the other.

Collapse -

Final Option

by ohm.paul In reply to Is this an effective and ...

Another possibility would be to have the ASA 5510 act as the first line of defense and just have the web server plug into the DMZ port of that Firewall. Then the 5505 would be connected to the back of the web server and the DB behind that.


My only question about this is that I was wondering if the "DMZ" port on a firewall is actually as secure as having a completely separate router plugged into a swich as in the previous possibility. I wouldn't be allowing any pinholes through from the DMZ to the inside, so I don't know why it wouldn't be as secure, but is this correct?


Collapse -

Tech support question

by RaymondJM4 In reply to Final Option

Ive seen too many models and manufactures with variations in there definaitions of terms like DMZ. I would definately call Tech support and find out from the horses mouth for that specific model. Maybe you can just send them an email. The DMZ for a linksys home router is not the same as a DMZ for ASA5510. And with this being a deal breaker question for your network security, I wouldn't rely on any one elses explination.

Related Discussions

Related Forums