Web Servers And Firewall Zones

Web Servers And Firewall Zones



Web Servers and​ Firewall Zones
Web and​ FTP Servers
Every network that has an​ internet connection is​ at​ risk of​ being compromised .​
Whilst there are several steps that you can take to​ secure your LAN, the​ only real solution is​ to​ close your LAN to​ incoming traffic, and​ restrict outgoing traffic.
However some services such as​ web or​ FTP servers require incoming connections .​
If you require these services you will need to​ consider whether it​ is​ essential that these servers are part of​ the​ LAN, or​ whether they can be placed in​ a​ physically separate network known as​ a​ DMZ (or demilitarised zone if​ you prefer its proper name) .​
Ideally all servers in​ the​ DMZ will be stand alone servers, with unique logons and​ passwords for​ each server .​
If you require a​ backup server for​ machines within the​ DMZ then you should acquire a​ dedicated machine and​ keep the​ backup solution separate from the​ LAN backup solution.
The DMZ will come directly off the​ firewall, which means that there are two routes in​ and​ out of​ the​ DMZ, traffic to​ and​ from the​ internet, and​ traffic to​ and​ from the​ LAN .​
Traffic between the​ DMZ and​ your LAN would be treated totally separately to​ traffic between your DMZ and​ the​ Internet .​
Incoming traffic from the​ internet would be routed directly to​ your DMZ.
Therefore if​ any hacker where to​ compromise a​ machine within the​ DMZ, then the​ only network they would have access to​ would be the​ DMZ .​
The hacker would have little or​ no access to​ the​ LAN .​
It would also be the​ case that any virus infection or​ other security compromise within the​ LAN would not be able to​ migrate to​ the​ DMZ.
In order for​ the​ DMZ to​ be effective, you will have to​ keep the​ traffic between the​ LAN and​ the​ DMZ to​ a​ minimum .​
In the​ majority of​ cases, the​ only traffic required between the​ LAN and​ the​ DMZ is​ FTP .​
If you do not have physical access to​ the​ servers, you will also need some sort of​ remote management protocol such as​ terminal services or​ VNC.
Database servers
If your web servers require access to​ a​ database server, then you will need to​ consider where to​ place your database .​
The most secure place to​ locate a​ database server is​ to​ create yet another physically separate network called the​ secure zone, and​ to​ place the​ database server there.
The Secure zone is​ also a​ physically separate network connected directly to​ the​ firewall .​
The Secure zone is​ by definition the​ most secure place on the​ network .​
The only access to​ or​ from the​ secure zone would be the​ database connection from the​ DMZ (and LAN if​ required).
Exceptions to​ the​ rule
The dilemma faced by network engineers is​ where to​ put the​ email server .​
It requires SMTP connection to​ the​ internet, yet it​ also requires domain access from the​ LAN .​
If you where to​ place this server in​ the​ DMZ, the​ domain traffic would compromise the​ integrity of​ the​ DMZ, making it​ simply an​ extension of​ the​ LAN .​
Therefore in​ our opinion, the​ only place you can put an​ email server is​ on the​ LAN and​ allow SMTP traffic into this server .​
However we would recommend against allowing any form of​ HTTP access into this server .​
If your users require access to​ their mail from outside the​ network, it​ would be far more secure to​ look at​ some form of​ VPN solution .​
(with the​ firewall handling the​ VPN connections .​
LAN based VPN servers allow the​ VPN traffic onto the​ network before it​ is​ authenticated, which is​ never a​ good thing.)




You Might Also Like:




No comments:

Powered by Blogger.