General discussion

Locked

Setup a Webserver in DMZ - Please Help?

By jlindemann ·
Needing some help here. By no means a newbie, but I am in the regards to seting up a webserver inside the DMZ. A Win2K Server & a SonicwallPro230 are being used. Current webserver is in our LAN. Want to move it into the DMZ.

Want to be able to place the webserver into the DMZ, but also keep it secure from attacks. I am thinking of placing our Symantec EMail Scanner on the webserver as well. So that it is filtered outside the LAN and then passed into EMail server inside LAN.
Part of our website needs to access a LAN server for customer information (sql) and pass it back out the website.
Lastly, I am planning on adding webmail functionality to our business. This webmail access will also be located on our website, and will have to be able to access the EMail server on the LAN.

I'm sure for the most part it's an easy task. But want to make sure it's done right the first time as to not create security risks and issues in the future.

Please help.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Setup a Webserver in DMZ ...

Have you decided on an OS to run on this server?

And all web servers that are exposed to the Internet are at risk of attack. You can only reduce the ability to compromise the server, you can't stop an attack if someone decides to launch one against the server.

And I would advise 2 web servers. One for internal use holding client data and one in the DMZ that does not. Placing client data on a server in a DMZ is simply asking for it to be stolen.

Once you have an OS chosen, I am sure that others can offer some more specific advise in securing the server.

Collapse -

by jlindemann In reply to

As stated in the above description we will be using a "Win2K Server" server.

Unfortunately a dual webserver enviroment doesn't really help and ends up adding, a hardly used internal webserver. That, and cost would be an issue to the superiors.
The issue is that part of our webserver is built so that it talks to our main database on the internal LAN. When a customer comes to our website they will need to be able to pull up their information live from the database.
Currently the webserver is on our LAN thus increasing local LAN traffic. I want to put the webserver in the DMZ causing less LAN traffic and greater security.

Collapse -

by sgt_shultz In reply to Setup a Webserver in DMZ ...

i don't think it's an easy task. at least i cannot locate the 'dmz' switch on my network either (rdl)
want a 'dmz' but no second server. what you think a dmz is? i am in same boat ans you and i would love to do it with one server and a router and a firewall. my boss is hot for it.
but it is not enuf layers of security for my comfort. a dmz is the idea all right...
you know your mission: secure the lan and public exposurs. under that define your public access (email, web, database are big ones you mentioned. you have others like vpn? pcanywhere? leave blank space bottom of list). list available hardware/os ('W2kSvr', router). list budget. (if this is under $1k you got red flag here imho)
take list to www.cert.org for information on hardening the public server(s)and securing the public exposures each, by definition, must have. web proxy. mail proxy. database replication server. you are gonna really need more than just ONE 'nother server/device. imho.
see www.microsoft.com/technet for info on dmz or general security. surf website for each of your public server products security. each os and server product has major holes out of the box and standard procedures for closing them (hardening). follow them you will be doing a lot of good.
try to get some paid hours with a networking consultant where evolve estimate and schedule for exactly how accomplish securing my exposed ***(ets). estimate of one time expenses and yearly budget to keep it going. keep asking everyone pleasantly about possible hidden costs, remembering not to kill messenger. once eyes have been opened by people in the know reverse position to mgmt. now say need to put a little money into this (which they knew anyway).
i am just a person like you who has to do this also. consider book like 'hacking revealed'. as far as linux goes, tanstaafl.
btw, would somebody please tell me why you couldn't get one of those $500 mac's running os10 for some of this?. with its automatic os updates...

Collapse -

by jlindemann In reply to

Poster rated this answer.

Collapse -

by CG IT In reply to Setup a Webserver in DMZ ...

Theres a couple of approaches. Depends on what type of internet access you've got. Best form of security is a layered approach.

First is get an Access Router/Firewall between the internet and your network.

Theres many ways in which to segment the network. managed switch, configurable router, you can use ISA server 2004 which is a very versatile proxy/firewall. You can stick multiple NICs into it and configure the different segments to whatever you want. one for the web server one for the LAN. One very secure for data bases.

Though you've given us some information, whats your budget constraints?

Collapse -

by CG IT In reply to

Theres many configurational setups used for DMZ describin what a DMZ is these days. Some mean between the internal firewall and the perimeter firewall [between to firewalls] but for me, the term DMZ means "naked" on the internet. There is no firewall that closes inbound ports both TCP and UDP or blocks PPTP L2TP traffic. Naked.

Some consumer level routers allow you to configure 1 LAN port that the firewall does not control [naked].

Heres our approach. We have a perimeter firewall/Access router which gets connected to a managed 8 port switch. That switch is VLan into 4 segments. One segment is what we consider DMZ and web servers are connected to that. One segment is connected to our ISA Server 2000. Thats our Proxy server internal firewall. One segment we have reserved for "whatever" like the boss wants to connect his laptop to the internet and not be on the net. or We want to play games online while we wait for the Tape backups to get done.

Now our ISA proxy server LAN side is connected to our stacks of managed switches. which creates our LAN Net. We have Windows XP firewall enable and run ISA server firewall client program. Our data base servers are on their own VLAN seperate from the LAN Net and you've got to provide credentials to log in and run queries. Its a pain for users but secure.

Collapse -

by jlindemann In reply to

Poster rated this answer.

Collapse -

by joker64 In reply to Setup a Webserver in DMZ ...

Great answer...i agree a router and switch....firewall router.

Collapse -

by jlindemann In reply to

Poster rated this answer.

Collapse -

by jlindemann In reply to Setup a Webserver in DMZ ...

This question was closed by the author

Back to Security Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums