General discussion

Locked

Location of a Web Server

By gyalch ·
My company is about to bring it's web hosting in house. Right now we have a Cisco 2621 between our DSL and the internal network. The router is running both NAT and has a firewall package. I am however not sure where to put the Web Server. ShouldI put it on my internal network and just setup one-to-one NAT, create a DMZ and again use one-to-one NAT, or create a DMZ and assign public IP addresses.

Also, if I want to access the webserver internally for uploading programmed pages, should I access it via the public domain or should I add a second NIC card to the server and attach it to the internal network. Thanks a for your help.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Location of a Web Server

by Joseph Moore In reply to Location of a Web Server

My suggestions on your design:
Put a 2nd NIC in the web server.
Have the 1st NIC with its public IP on the DMZ.
Set up Port Filtering on the 1st NIC to only allow port 80.
Make sure you have the security on the website correct, so the web serveruser account only has Read rights (if that will work for your web site).
Keep it updated with any necessary patches and such.
Monitor the web site automatically for any defacements.
Basically,lock it down to as tight as you can get away with and still maintain functionality. If it is a Windows machine, keep it in its own Workgroup, not as a member of your office domain. Implement complex passwords on all user accounts on it.
Put the 2nd NIC on your internal network. Make sure your office network uses password policies.

hope this helps

Collapse -

Location of a Web Server

by gyalch In reply to Location of a Web Server

Poster rated this answer

Collapse -

Location of a Web Server

by jbelcher In reply to Location of a Web Server

I would utilize the second ethernet port on the Cisco 2621 to create a DMZ with public IP addresses. Assign a public IP address to webserver then adjust your access list / firewall settings to restrict inbound http requests in and replies from the webserver back to the internet. Filter everything Else. Be sure to permit your local network to be able to access the webserver as well. I would also permit FTP, etc. from your internal network only so that you can upload pages to your webserver without permitting this traffic from any host on the internet.

I wouldn't add a second NIC. Unless there is a really good reason to connect directly to your internal network I wouldn't do it. You will be able to access it throuh the router for internal viewing. Webservers are among the highest compromised servers on the internet and the second NIC in a compromised server would give the attacker direct access to every host on your internal network bypassing the firewall. I would only connect your internal network to the internet through a firewall, never a host/server. I know this is somewhat rambled but I hope this helps you in your decision...

Collapse -

Location of a Web Server

by gyalch In reply to Location of a Web Server

Poster rated this answer

Collapse -

Location of a Web Server

by mcoya In reply to Location of a Web Server

This is very simple, if you are not using the other ethenet port on the router. Set E0 up with a public ip address to the web server. If you have the capablilty to designate a small pool of public IP address to a specifice port on the router do so,but make sure it's not the same pool as you internal LAN. If not you will have to rely on access lists. Set up access lists on that port allowing only port 80 TCP and UDP and denying everything else, unless you have other services running. You can access the web server from the internal LAN by setting up a Static route on the internal ethernet port to the ip address on the web servers ethernet port.

I could give you quit a few other scenerios but i'm running out of room. Email me if you have any other questions.

Collapse -

Location of a Web Server

by gyalch In reply to Location of a Web Server

Poster rated this answer

Collapse -

Location of a Web Server

by wlbowers In reply to Location of a Web Server

Cisco has a building full of tech specialist that
can give you the best configs. Go to their
website and call them.

Lee

Collapse -

Location of a Web Server

by gyalch In reply to Location of a Web Server

Poster rated this answer

Collapse -

Location of a Web Server

by gyalch In reply to Location of a Web Server

This question was closed by the author

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums