[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Farm of servers connected to internet behind firewall security risk

Posted on 2003-02-24
Medium Priority
Last Modified: 2013-11-16
As a security wise, what is the risk on farm of servers(database or application)UNIX or MicroSoft OS,if i connect them to internet behind firewall (PIX OR ELSE) on internal interface,with access-list deny all traffic from anywhere except one internet user on dmz,what about viruses,worms..etc???is there any advice or recomendation to do ?????what can i do on the main point access (internet router) as a first step for defense ????
Question by:Fact
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 33

Accepted Solution

Dave Howe earned 112 total points
ID: 8007844
This sounds very much like best practice. The normal design of a base dmz setup is a single firewall, with one "external" internet facing interface, one "internal" lan facing interface, and one "dmz" server farm interface. you should allow inbound from the internet only those protocols you are supporting on the servers; you should allow outbound only what is required (ftp can often be "smart" handled by the firwall) and you should be only marginally more trusting of dmz hosts than the internet itself
If you run NT, do *not* split a domain across the two - make a separate domain for any nt boxen in the dmz, and set up a trust relationship. lock down on RPC to a small range of channels, allow dmz hosts read only access to selected portions of lan hosts, build a separate dir that dmz hosts have write access to (one per dmz host, not the main shared dir) and where possible, use MTS to run components on the lan rather than opening additional ports per service.
If you run unix (and solaris+apache is probably the best combo out there for webserving, provided your designers aren't addicted to activex components or asp) then don't allow remote mounts though the firewall, use ftp (or better yet, scp) to push or pull from the lan side to the dmz (rather than allowing inbound access) and if you must have an inbound command path, make it ssh running a custom binary (not a true shell), remove tunnel and sftp support, and if possible run it as its own dedicated sshd on a non-standard port, so that you don't ever have to change config on it to allow more liberal access from non-dmz hosts.

Assisted Solution

cococan earned 108 total points
ID: 8010689
Well, even though there is not enough ionformation here, I can say this in confidence that your security depends on the firewalls and the users/administrators of the servers.  First of all, no surfing or any internet activity should be allowed at the servers.  In other words, no one should be allowed to be in a position to get something from the internet and execute on the servers.  This is the ony way a virus can infect the servers.  This doesn't mean that the virus can not reside on the server!  It will not infect the server that is all.  On the other hand, the user workstations may get infected if the users get their hands on the virus contaminated file(s)!
Since I don't know the level of your knowledge in this arena, I don't want to go too much in detail but if you have any questions, get back to me, I will gladly explain further in detail.
DMZ; that is tricky.  I didn't go through  the comments but and I think DaveHowe is talking about it.  DMZ is a zone where usually the Internet servers are positioned.  This means that the DMZ is a place where the security is not as good as your internal LAN but not as insecure as the Internet.  Some setups have 2 firewalls, one for the DMZ and one for the Lan but what I am used to is AIX Firewall and some other systems like the old NEC firewalls with 3 interfaces (Usually NICs).  I don't know what you mean by "one Internet user on DMZ" but DMZ access for a hecker is better than most other ways to try to break in to your network because DMZ to your firewall or LAN is a half trusted zone in contrast to your Internet zone.

Experience in setting up firewall is better than any book or manual!  If too much is at stake, you should get an expert on the subject I think!

Good luck

Huseyin K.

Expert Comment

ID: 8013674

very good job so far!
that exactly what any CISSP would do.
now you should beef up the security and customize it to specific usage needs on the network.

to do this i would start by implementing an IDS to compliment the DMZ. the DMZ can be a single point of failure, maybe a padded cell system would be the best with your IDS to prevent complete lockout. it also will be very helpfull with providing tangible evidence incase of legal issues.

oh an try to stay up to date withe latest security patches... i cant count the number of times super robust networks have been clobbered by a simple exploit that had a patch available.
as a matter of fact that super slammer worm is a great example, that even caused airplane flight cancellations!

Expert Comment

ID: 9954204
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question