What are the Pros and Cons of web development in the DMZ?

emcadoret
emcadoret used Ask the Experts™
on
We recently move our web development server (Sun Solaris)to the DMZ.  We use this server for all of our PUBLIC web development.  The server used to be behind the firewall and now it's in the DMZ.

Are there any best practices for having your public development server in the DMZ?

What are the pros and cons of taking it from behind the firewall and placing it in the DMZ?

Thanks,
EMC
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005
Commented:
Whether a web server should be in a DMZ or not depends, to some degree, on how you define a DMZ. To me, a DMZ is a network seqgment that is protected almost as well as the network behind a firewall. This can be done protecting the DMZ with a firewall, or by applying access lists on the border router. The firewall method is slightly better as firewalls normally include stateful inspection of the traffic. In either case only those ports related to services that the DMZ servers offer to the Internet (typically 25/tcp,   53/tcp, 53udp, 80tcp, 443/tcp and maybe the FTP ports) are allowed in-bound to the DMZ server(s).

Whether the server is in the DMZ or inside of a firewall it needs to be set up with good security practices in mind. This means religiously keeping the box up to date with respect to security updates, only enabling those services that are absolutely required, and limiting the number of user accounts to the minumum (and make sure that those have really good passwords). Good security practices also mandate not having any of the insecure protocols available (like telnet, rsh, rlogin, ftp, etc) that don't use encrypted data streams. The need for those is eliminated by installing OpenSSH on the server. If FTP is required, it needs to be implemented via NcFTPD or ProFTP and that service configured to use usernames/passwords that aren't Solaris accounts and upload/download dirs chrooted. Oh yes, you also need to be running tripwire on the server to detect unathorized changes to critcal utilities and data files and it's not a bad idea to also set up a DMZ system to run an IDS (Snort or similar).

The advantage to having the web server in the DMZ is that a successful penetration of the web server doesn't necessarily lead to a compromise of the systems behind the firewall. However, if good security practices aren't followed, it's possible for an attacker to gain access to the web server in the DMZ and then gain access to a system inside of the firewall. This presumes that the web server doesn't need access to some other system, like a database server. If that's required, the DB server (or any other system that the web server must open a connection to) also be located in the DMZ and secured in the same manner.

The disadvantages of locating a system in the DMZ are that it is harder to manage and monitor, and that the system(s) need to be completely standalone with their own backup devices & S/W.
Top Expert 2007
Commented:
As jlevie said, it depends on what you define as a DMZ.  

Strictly speaking, a DMZ is the zone outside your front firewall (which sounds like what you are talking about in this instance).

That being the case, I think you'd have to be crazy to have a development box sit out in the open to be scanned/cracked by the great unwashed.

Typically a development box has relatively lax security, is not stripped and has all sorts of useful tools that hackers find useful.

Gabriel OrozcoSolution Architect
Commented:
mmhh..
a DMZ can be BEHIND the firewall, but on another network segment. if some attacker can enter to that box, if that box is in de DMZ, then your LAN is still safe. but if your box is in your LAN side (a two ways firewall) then if somebody can exploit a new discovered overflow in your web development box, such attacker will be in your own LAN. And we know how tipical is that the LAN is not very secure.
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Commented:

generally speaking, anything you share with the public  should 'at least' be on a DMZ if you cant give it its own dedicated firewall. Once you make something visible to the public you must assume worst case scenario. In your case, what can they do from the DMZ - hopefully with strict rules and strong polices on the firewall and access methods, not much, but if its on your LAN...well, your LAN is the hackers oyster !

the other benefit of using DMZ's is you can control access to these devices from your internal LAN to authorised personnel only. This means customers details can only be viewed by authorised staff and if another employee downloads a virus your customer service/systems are protected becuase of the extra layer.

I worked in some massive corps and treating internal LANS as hostile as well as internet has become the Norm becuase this is where 70% + of attacks are coming from.
Gabriel OrozcoSolution Architect

Commented:
What I do is this:
I setup the general firewall, which has the dmz interfase. every access is done tru the firewall, but the boz that's in the dmz has it's internal firewall also, so it is offering only what it's intented to offer.

Commented:

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Points split jlevie, Tintin, Redimdo & tmehmet

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

liddler
EE Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial