?
Solved

Farm of servers connected to internet behind firewall security risk

Posted on 2003-02-24
6
Medium Priority
?
232 Views
Last Modified: 2013-11-16
As a security wise, what is the risk on farm of servers(database or application)UNIX or MicroSoft OS,if i connect them to internet behind firewall (PIX OR ELSE) on internal interface,with access-list deny all traffic from anywhere except one internet user on dmz,what about viruses,worms..etc???is there any advice or recomendation to do ?????what can i do on the main point access (internet router) as a first step for defense ????
0
Comment
Question by:Fact
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 112 total points
ID: 8007844
This sounds very much like best practice. The normal design of a base dmz setup is a single firewall, with one "external" internet facing interface, one "internal" lan facing interface, and one "dmz" server farm interface. you should allow inbound from the internet only those protocols you are supporting on the servers; you should allow outbound only what is required (ftp can often be "smart" handled by the firwall) and you should be only marginally more trusting of dmz hosts than the internet itself
If you run NT, do *not* split a domain across the two - make a separate domain for any nt boxen in the dmz, and set up a trust relationship. lock down on RPC to a small range of channels, allow dmz hosts read only access to selected portions of lan hosts, build a separate dir that dmz hosts have write access to (one per dmz host, not the main shared dir) and where possible, use MTS to run components on the lan rather than opening additional ports per service.
If you run unix (and solaris+apache is probably the best combo out there for webserving, provided your designers aren't addicted to activex components or asp) then don't allow remote mounts though the firewall, use ftp (or better yet, scp) to push or pull from the lan side to the dmz (rather than allowing inbound access) and if you must have an inbound command path, make it ssh running a custom binary (not a true shell), remove tunnel and sftp support, and if possible run it as its own dedicated sshd on a non-standard port, so that you don't ever have to change config on it to allow more liberal access from non-dmz hosts.
0
 
LVL 3

Assisted Solution

by:cococan
cococan earned 108 total points
ID: 8010689
Well, even though there is not enough ionformation here, I can say this in confidence that your security depends on the firewalls and the users/administrators of the servers.  First of all, no surfing or any internet activity should be allowed at the servers.  In other words, no one should be allowed to be in a position to get something from the internet and execute on the servers.  This is the ony way a virus can infect the servers.  This doesn't mean that the virus can not reside on the server!  It will not infect the server that is all.  On the other hand, the user workstations may get infected if the users get their hands on the virus contaminated file(s)!
Since I don't know the level of your knowledge in this arena, I don't want to go too much in detail but if you have any questions, get back to me, I will gladly explain further in detail.
DMZ; that is tricky.  I didn't go through  the comments but and I think DaveHowe is talking about it.  DMZ is a zone where usually the Internet servers are positioned.  This means that the DMZ is a place where the security is not as good as your internal LAN but not as insecure as the Internet.  Some setups have 2 firewalls, one for the DMZ and one for the Lan but what I am used to is AIX Firewall and some other systems like the old NEC firewalls with 3 interfaces (Usually NICs).  I don't know what you mean by "one Internet user on DMZ" but DMZ access for a hecker is better than most other ways to try to break in to your network because DMZ to your firewall or LAN is a half trusted zone in contrast to your Internet zone.

Experience in setting up firewall is better than any book or manual!  If too much is at stake, you should get an expert on the subject I think!

Good luck

Huseyin K.
0
 
LVL 8

Expert Comment

by:ViRoy
ID: 8013674


very good job so far!
that exactly what any CISSP would do.
now you should beef up the security and customize it to specific usage needs on the network.

to do this i would start by implementing an IDS to compliment the DMZ. the DMZ can be a single point of failure, maybe a padded cell system would be the best with your IDS to prevent complete lockout. it also will be very helpfull with providing tangible evidence incase of legal issues.

oh an try to stay up to date withe latest security patches... i cant count the number of times super robust networks have been clobbered by a simple exploit that had a patch available.
as a matter of fact that super slammer worm is a great example, that even caused airplane flight cancellations!
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9954204
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:
http://www.experts-exchange.com/help.jsp#hs5

zenlion420
EE Page Editor
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question