July 6, 2008 03:23am pdt

1. meverest 237,566
2. tedbilly 113,314
3. RubalJ 102,013
4. Dave_Dietz 93,231
5. Abs_jaipur 49,055
6. TechSoEasy 40,600
7. LeeDerby... 34,573
8. hielo 29,350
9. harperse 27,720
10. Sembee 26,152
11. tigermatt 25,050
12. pcsmitpra 24,975
13. Robbie_L... 24,560
14. kieran_b 22,495
15. mihapi 22,150

1. Dave_Dietz 1,494,609
2. meverest 1,352,258
3. humeniuk 243,743
4. tedbilly 201,882
5. Sembee 199,472
6. dnojcd 164,736
7. DireOrbAnt 155,014
8. Chris-Dent 148,792
9. alimu 147,067
10. AndresM 142,147
11. harperse 137,888
12. TechSoEasy 125,194
13. Silvers5 118,933
14. RubalJ 102,513
15. fz2hqs 98,692

03.16.2008 at 01:20PM PDT, ID: 23245615

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.8

Securing public webserver - Firewall, AV, ISA

Zones: Microsoft IIS Web Server, Watchguard Firewall

Tags: Microsoft, Windows Server 2003, Web Edition

Hi Experts,

We just completed setting up our new SBS 2003 box and firewall. Now it's time to work on the public webserver. Planning to have a Dell server running Windows Server 2003 Web Edition to host our ASP website. SQL sits on our SBS box. Our firewall is WatchGuard X55e (which was a DMZ port on it).

Questions:
1. Is anti-virus needed on the webserver box?
1.1 If yes, will it run on the Web Edition (we'll use Trend Micro)?

2. Connection to our SBS box.
2.1 Do we open SQL port on the firewall between the DMZ and the SBS ports?
Internet --- firewall --- ISA --- SBS --- LAN
|------DMZ------web server

2.2 Or do add another firewall on the 2nd NIC (on the webserver) and pass data back/forth that way?

3. Port 80 and 443 need to go to web server. I currently have port 443 also going to SBS (for RWW, OWA, and sharepoint). Are there any concerns or issues with having this port open to both DMZ and LAN?

4. Is there any advantage to puting ISA on the webserver? Or is that just overkill?

Thank you so much for your help.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: tonyamork

Solution Provided By: meverest

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.16.2008 at 02:08PM PDT, ID: 21138498

paradoxengine:

1) there's no actual best practice there. An antivirus is a performance killer, and you should not need it on a web server (well, if you don't have file upload and sharing at least).But an antivirus is good on any windows machine. I'd say no.

2) It depends on the volume of data. You might want to let the db and web server being on a separate network to lessen the workload on your firewall. Add that to the fact that you could achieve "better security" having the link between the web server and the db not reacheable from the internet. In my experience, however, most hacks happen at the web application level so there's no difference at all in the firewall configurations.

3) I don't get the question. As soon as you have multiple external IPs (obviously), you're ok.

4) I'd say it s just overkill. Remember, when it comes to web applications, your money is better spent (much much much better spent) in penetration testing and code auditing than in pointless firewalling. Statistics tell us most hacks are on custom webapp, not anymore at the operating system level.

03.16.2008 at 04:30PM PDT, ID: 21139005

tonyamork:

paradoxengine

1) Ok. Our firewall does virus checking as well. Maybe that's enough.

2) Traffic is minimual currently. I could always add another firewall in the future if I need to offload the traffic.

3) I have 1 static ip coming into the firewall and then each server has its own IP address for its network (and on different subnets). I'm concerned that traffic flowing in for the webserver on port 443 could also be exposed to our SBS as it's open to it as well. I'd like to have (2) static ips and direct traffic that way; however, I don't think our firewall (WatchGuard X55e) accepts 2 static ips. Is this a valid concern? Is there a way to sniff the traffic to know extranet.domain.com traffic should go to the SBS server while others go to the webserver, i.e .when using Port 443?

4) Ok. Can statistical apps that track web usage and traffic run on Web Edition? Or do they require Standard Edition?

Thank you, Tonya

03.16.2008 at 04:35PM PDT, ID: 21139026

Rank: Genius

meverest:

my own opinions:

1) No, but it may help avoid disaster
1.1) Sure

2.1) you will generally only need to open the sql server port from dmz to lan. the other way around is generally enabledby default.
2.2) as above - depends on the load. I'd do it through the router to begin with, and just monitor the load.

3) if you have *anything* open to the internet, then - strictly speaking - it should live on the DMZ. Allowing any inbound access to your lan defeats the purpose of having dmz to begin with.

4) yes (it is NOT overkill) - running ISA on the server in the DMZ will allow you to open up those web ports of your SBS to the internet in a more controlled manner: i.e. reverse proxy the OWA and sharepoint services via the ISA.

Cheers.

Accepted Solution

03.16.2008 at 04:45PM PDT, ID: 21139062

paradoxengine:

2) I agree with meverest about load monitoring to begin with.

3) I think we've got something wrong here. You cannot do port based network translation on the same port for two different ips, so you either change one of the ports (say: https://extranet.domain.com:444 -> internal.ip.of.SBS:443 but it means you have to tell all your clients to use the new port) or you get another IP (and possibly another firewall,
I don't know about the X55e sorry, but opensource solutions like pfsense have multiip support.. think about that ;=) ).

OR (4) you could do reverse proxy (since domain related information is at the application level) , like meverest suggests. If you use ISA for reverse proxying, then it's worth it, otherwise it is useless to have another firewall in place IMNSHO.Anyway, if you only want to do reverse proxy (and maybe want to add some neat security feature) you could deploy a linux box with apache and mod-proxy. Throw mod-security in and you've got a nice plus.. but that's not what you're asking here I feel :)

Assisted Solution

03.16.2008 at 04:45PM PDT, ID: 21139063

tonyamork:

SBS question:

3) "if you have *anything* open to the internet, then - strictly speaking - it should live on the DMZ. Allowing any inbound access to your lan defeats the purpose of having dmz to begin with."
Port 443 currently flows firewall --- ISA --- SBS for RWW, OWA, and sharepoint. Per the statement above, should it then flow instead to the DMZ and then be redirected to the SBS for those services? Is this a more safe approach? Or is the current configuration safe enough, since I'm using iSA on the SBS box?

03.16.2008 at 05:05PM PDT, ID: 21139127

tonyamork:

paradoxengine,

Looks like we were both typing at the same time. I posted my after you. But looks like you answered my #3 question well.

20080236-EE-VQP-29 / EE_QW_2_20070628