General discussion


Linux/Windows Web Server, DMZ design

By ohm.paul ·
Currently, our company has about 15 employees working in a central office. We have a single file server for sharing various documents, this server is a Dell Poweredge.

We have 2 websites which are currently being served by GoDaddy, but we would like to host the servers ourselves. We also have 10 retail locations around the company that need to be able to connect to our websites continuously throughout the day.

The plan is to purchase a PowerEdge 2900III server (2x quad core processors, 4GB ram, 6x73GBHDDs w/ RAID 5/1) as well as a Cisco ASA 5510 Firewall which will be in addition to the ISP-supplied router (IAD 2400, which I cannot personally configure, i must call ISP each time).

I have been researching the possibility of setting up the server inside a DMZ, but am weary of the security risks as the web server will be driven by a information-sensitive database on the web server.

One suggestion I heard was to set up the DMZ like such:

internet --> ISP Router (IAD) --> ASA firewall --> DMZ(web server) --> additional router (1800 possibly?) --> LAN

Would such a configuration be suitable and safe for both the web server that has sensitive information in it as well as the LAN? Or would it be highly recommended to set up an internal server on the LAN that could contain the sensitive database, and would be accessed constantly by the web server located on the DMZ?

An additional question, I know only the basics of Linux (took a course in Linux/Unix Sys. Admin.) so I got the idea of how Linux works, but am by no means an expert. Would it be wise to set up RH Enterprise or SUSE Enterprise on the web server? I.E. how difficult would it be to set up such a network/DMZ/Apache on Linux with only basic knowledge? Is it worth the added security of Linux or should I stay with what I am more comfortable with, which is Windows.

An additional note, the site is a PHP/MySQL driven site, so it naturally works well with Apache, further intriguing the Linux server idea...

Thoughts, suggestions?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

squid proxy

by ohm.paul In reply to Linux/Windows Web Server, ...

would it be a good solution to set up a reverse cache proxy in the DMZ which could relay incoming connections to the web server?

Collapse -


by ohm.paul In reply to Linux/Windows Web Server, ...

the purchase is happening today, and as of right now, it will consist of:

PowerEdge 2900III (web server)
Cisco ASA 5510 firewall
Nod32 AV

Cheap server (linux based) to become more familiar with Linux.

As of now, our web application will only be accessed by specific customers that we direct there, so the load is not too great.

First of all, I have heard that SBS does not communicate well with other servers, so should I stay with Windows Server 2003 so that it is able to communicate with our file server (SBS 2003) and possibly another server (Linux). As for this second linux server, what kinds of specs should I invest in for the server to be able to run an Enterprise Linux distro and possibly host files for the web server

My options for security are limited. Here are my options:

-set up the web server on the internal network behind the ASA firewall and IAD 2400 router (supplied and configured by ISP)

-set up the web server on a DMZ between the IAD and the ASA, however the web server will contain a database of sensitive information, so I don't know if this will provide enough security for that information

-set up the web server on a DMZ between the IAD and ASA and use the Cheap Linux server to host the database on the internal network, and the web server would have to reference to that Linux server each time the web application is accessed

Are there any other options I am missing?

Collapse -


by lamont152 In reply to Purchasing

I think the web server and the database should be on the internal LAN with the database hosted on a different machine than the web server. Just configure the ASA firewall to allow incoming traffic on port 80 and have the ISP to open port 80 on the IAD 2400 router.

Collapse -


by ohm.paul In reply to Well...

I have been told repeatedly that it is very unwise to have the web server on the internal LAN because if someone were to hack out of the web server, he would have access to all other workstations in the internal LAN including any other server that hosted the database...thus eliminating any security gained by having it on a separate server.

However, if I put the web server on the DMZ side of the ASA 5510, and have the internal network on the other side, then a hacker would not be able to get from one to the other. In this case, though, I would be pressed to put the database on a server on the internal network.

I am wondering if our current SC 440 file server could perform double tasks and host the database as well as the company files (and sharepoint) that it currently hosts....any thoughts on that? Only problem with that is that the web server has RAID 5/1 with 6 HDDs and an internal Tape backup drive to back up everything that needs it. However, hosting the database on another server would mean it wouldn't get backed up by the RAID or tape drive...making them pointless as they would just be backing up the server root, which is backed up on workstations anyway...

Related Discussions

Related Forums