We help IT Professionals succeed at work.

Where do we put our webserver?

| Internet |
 ------------        -----------
| Pix 515  |-------|  Proxy  |
------------       -----------
|Internal Servers|

We are looking at 2 options for our network.  Firstly to put a proxy/security software on a server in a dmz to add enhanced security to our network.  This would be used for SMTP/HTTP requests.  Our smtp and web server would reside as internal servers.  

The other option we have considered is putting our web server in the DMZ and have it proxy only the SMTP traffic.  Either way the website has to make calls to a SQL server to retrieve info that will be in our internal network.  

I'd like to know if one way is better than the other (for security) and what products would be recommended.  This will be a low hit website (no more than 1000 hits/day) so we are not looking at spending huge $.  Bonuses will be given for detail.  Beacuse of cost factors we can only have 1 DMZ.


I should add I would look at alternative solutions as well!!!
Watch Question


I suggest to use the proxy solution, 'cause you only have SMTP and HTTP services open to the internal net. And these services may use another than the standard port (25, 80) to improve security.
If you would put the webserver in the DMZ you need SQL services enabled at the firewall too.
A more secure solution might be to have a copy of your SQL server in the DMZ, but that not a low-cost solution.

You should put web and mail gateways in your DMZ, and have your Proxy server inside.
By mail gateway I mean either the IMS component of Exchange, or some sort of mail scanner.  This keeps all the nasty crap out of your network.
Although PIX is cheap, it's certainly not the cheapest.
You may want to consider a PIX506 - $2000, which is 10Mbs only, but adequate for most small Internet pipes, as opposed to PIX515 ($3000).
Going lower down into the Cisco range, something like the 800 router series with IOS firewall feature set would be perfectly adequate too.
It all boils down to budget.
Other firewalls in this price range are Netscreen 100, Nokia IP110, or something from the Watchguard range.
I am assuming that you are an MS shop because of SQL Server

How about ..

   __ Web Servers
   __ Mail Bridgehead
  MS ISA Server
Internal Network

MS ISA Server gives you a proxy and can also be configured to act as a firewall.  You then get a proper DMZ, a zone between two firewalls.  (Now we don't necessarily take microsoft seriously when they talk about security, but as you have to dual port the proxy you may as well double up on the firewall use).  You get the added bonus of diversity in you firewalls for addtional security.  You do have some headaches about trust relationships between systems in the DMZ and internally but that is always a problem.

Make sure that access to a system in a DMZ cannot give any rights to access to any internal systems.  For SQL server you will either have to have to hide and encrypt the database passwords or fudge the NT SQL authentication and have matching local accounts on your web and SQL server.

You should also harden the SQL server and make sure that any accounts that you use from the web servers have low privileges.  See here for explanation of what can happen if you don't ...


Hope this helps


I agree with toni about the configuration, but I'd rather setup things this way:

   +--- Web Servers (DMZ)
   +--- MS SMTP Service (IIS)
   +--- SQL Server (DMZ)
ISA Server
   +--- Mail Server
   +--- SQL Server
Intranet (LAN)

The SQL server in the DMZ won't be visible from the internet since it's shielded out from the PIX, the SQL server residing on intranet will have a scheduled replication job so that it will routinely exchange data with the DMZ database but the "private" SQL server will be completely shielded out by the ISA server, the Mail Server will route all its mail through the DMZ SMTP server which will also accept incoming mail and route it to the internal mail server.

This way the only ports You need to open on the PIX will be 80 (web) and 25 (smtp) and only for the DMZ servers, while the ISA server will have only port 25 open (only for the DMZ SMTP machine) to allow inbound mail routing


I forgot one thing, if the DMZ SQL is a low-volume database You could use the MSDE engine on the DMZ machine, this will low down costs; and just I'm at it, instead of PIX You could use a cheaper firewall, these days You can find lots of linux-based "blackboxes" which work really well as first level firewalls, one of these is the firebox, take a look here: http://www.watchguard.com/products/firebox.asp

Good Luck
Looks OK if you have to communicate between databases - always a problem.  If you do have SQL server communicating inbound across the inner firewall then be sure to harden the internal boxes as well as those in the DMZ.  

Well, not exactly, the DMZ database server (SQL Server or MSDE) won't be visible from the internet; in any case, the connection between the DMZ SQL Server and the internal SQL server is NOT driven by the DMZ server; the internal SQL server carries on the connection and the replication jobs, this way there's no need to open port 1433 on the internal firewall -AND- the internal SQL server won't be visible from DMZ (and obviously from the internet)


Hi there,
here is the setup which may be you can use.

Internet-->Routerwith basic firewall-->Firewall-->Proxy
                                        DMZ|         |
                                   Frontend SVR Backend SVR
any further question let me lknow


OK... I truly apologize for not responding faster... We already have a PIX 515 in production.  We can only have 1 SQL server and it houses other sensitive info, so I would prefer to keep it on the internal network, internal security we'll worry about.  We own a server box that is intended for the webserver.  We are going to buy SecureIIS.  Some of these decisions I have no say in as they are done already.  Here's what I proposed:

Put an IIS server in the dmz which accepts SMTP and HTTP traffic (basically to proxy requests).  Alter the ports this server uses to talk to the internal servers. Have the production webserver, email server and SQL server in the internal network and secured by locking down the IUser account internally as well as putting SecureIIS on the internal webserver.

Getting a second firewall is probably out of the question at this point, but I am open to all comments and suggestions.




I suggest You an alternative:

Install MSDE onto the DMZ server

Create one or more data replication job on the internal SQL server to populate the MSDE database(s), this way the SQL server connection will be one-way that is from the internal SQL server (containing sensitive infos) to the DMZ MSDE server which will contain only the needed infos

Install/Configure the MS SMTP server onto the DMZ server and set it up to route the traffic from/to the internal SMTP server

Now lock down to the maximum the DMZ server (install IISLockdown, UrlScan and some kind of AV software) and establish the correct rules for the DMZ servers so that SMTP will work and SQL connections will be allowed only from the intranet to the MSDE server

As a last note (I said it before) the MSDE server for the DMZ machine won't cost You a penny so I think it shouldn't be a problem installing it (and You can manage it using the SQL console of the internal SQL server)



More pics on web at MS, with more lengthy discussion, ex:

"Network Infrastructure Design"
(place webervers in DMZ)

"Firewall Design"

"Deploying the Firewalls"
(also contains lengthy discussion on "Failover on the Cisco PIX 515")

"Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview"
(lengthy, more detailed on web proxy and extended geography)

"Deploying Operations Manager"

(pour moi, this late in thread will leave detailed part to MS & prior comments)
re:> Put an IIS server in the dmz which accepts SMTP and HTTP traffic (basically to proxy requests).  

IMO, for any security function (eg proxy) a separation should be made for H/W.

For any MS application, it should be only application on machine. So I would separate SMTP from HTTP as well. You've already separated SQL and Mail, hats off to you, those are usually first ones missed. But the closer you get to internet, the more important the separation for security reasons (more so than stability/reliability).



Well, although it's taken forever for the decisions to be made we are going with an IIS server in the DMZ.  The IIS will have the website and will proxy the smtp mail to the internal mail server.  The web server is going to use the .net framework and call .dll's (read only access) to specific parts of the internal SQL box.  We have hardened IIS with SecureIIS.

Thanks for your patience and I appreciate all of the comments.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.