General discussion


Where would be best to put web server

By davidm ·
We are planning on hosting our own web server and I have always thought it best to put it in the DMZ not in your network.Am I confused???

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Where would be best to pu ...

no your not, at least according to most IT security people.

Web servers are the first target hackers go after as it's the most publically viewable. So, according to IT security people best practice would be to have the web server off on its own so if there is a breach the hackers can not get into the network.

Collapse -

by briantruitt In reply to Where would be best to pu ...

You can do either one. I would be concerned about what OS you'd have running on the webserver. Basically, if you stick anything in the DMZ, that particular computer is wide open. If you stick that computer behind a firewall and do port forwarding to it's IP address, only that particular port is open to the public. I have a Snort box in my office DMZ and it gets hit with anything and everything. I also have a webserver at home using port forwarding and it gets hit just as much. If it were up to me I would leave the webserver inside the network and just forward port 80 traffic to it's IP address. I would also try to stick with Linux, but that's a different story.

Collapse -

by wlbowers In reply to Where would be best to pu ...

Make it as hard as possible for a hacker to get from you web server to your network.



Collapse -

by ewgny In reply to Where would be best to pu ...

I don't agree with answer #2. A DMZ is not an area that is wide open to the outside. A properly configured DMZ will be firewalled just like your protected network. the only difference is that you obviously need to open various inbound ports depending on what services are set up in your DMZ. Rules should be set up to direct for example port 80 inbound, to the IP address of your web server. You can set up access from your internal network to your DMZ, and block access from your DMZ to your internal network.
This way if for some reason your server on the DMZ was compromised, the intruder would have no way into the internal network.
If you would like to keep the Web Server on the internal network, you could "publish it" via ISA Server. So instead of your firewall directing port 80 to a Web server on the DMZ, you can direct port 80 to the DMZ NIC of an ISA Server that sits on the perimeter of your internal network with one NIC on the internal network, and one NIC on the DMZ.
Another method that I have used, is to have 2 identical web servers, one on the DMZ, and one on the internal network. All modifications to the web site would be made to the internal server, the internal website would be backed up and then web site modifications restored to the DMZ Server. In the event that my DMZ Server got f'd up, I could quickly fix it and restore it from the internal server.

Collapse -

by davidm In reply to

Poster rated this answer.

Collapse -

by erikdr In reply to Where would be best to pu ...

There's 2 approaches: HTTP in DMZ (and all intelligence in Intranet) or only 'proxy' in DMZ. Answer 2 shows an alternative proxy model, port forwarding; if you choose for proxying I'd opt for plain standard full reverse proxy. One of the advantages is that, because on DMZ-internal firewall layer you ACL on IP adresses, hacking/killing of the revproxy will make it impossible for the hacker to reach the real HTTP server!
The debate between proxy or HTTP-only in DMZ is more complex, some arguments pro and con have been given here and for now I hope that's enough. In our Fortune-1000 company, after a 3-year discussion our region went for proxy while another region (following the same highlevel corporate policy) could opt for HTTP-only-in-DMZ. They have less functionality but lower requirements also...


<Erik> - The Netherlands

Collapse -

by davidm In reply to Where would be best to pu ...

This question was closed by the author

Related Discussions

Related Forums