Farm of servers connected to internet behind firewall security risk

As a security wise, what is the risk on farm of servers(database or application)UNIX or MicroSoft OS,if i connect them to internet behind firewall (PIX OR ELSE) on internal interface,with access-list deny all traffic from anywhere except one internet user on dmz,what about viruses,worms..etc???is there any advice or recomendation to do ?????what can i do on the main point access (internet router) as a first step for defense ????
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
This sounds very much like best practice. The normal design of a base dmz setup is a single firewall, with one "external" internet facing interface, one "internal" lan facing interface, and one "dmz" server farm interface. you should allow inbound from the internet only those protocols you are supporting on the servers; you should allow outbound only what is required (ftp can often be "smart" handled by the firwall) and you should be only marginally more trusting of dmz hosts than the internet itself
If you run NT, do *not* split a domain across the two - make a separate domain for any nt boxen in the dmz, and set up a trust relationship. lock down on RPC to a small range of channels, allow dmz hosts read only access to selected portions of lan hosts, build a separate dir that dmz hosts have write access to (one per dmz host, not the main shared dir) and where possible, use MTS to run components on the lan rather than opening additional ports per service.
If you run unix (and solaris+apache is probably the best combo out there for webserving, provided your designers aren't addicted to activex components or asp) then don't allow remote mounts though the firewall, use ftp (or better yet, scp) to push or pull from the lan side to the dmz (rather than allowing inbound access) and if you must have an inbound command path, make it ssh running a custom binary (not a true shell), remove tunnel and sftp support, and if possible run it as its own dedicated sshd on a non-standard port, so that you don't ever have to change config on it to allow more liberal access from non-dmz hosts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Well, even though there is not enough ionformation here, I can say this in confidence that your security depends on the firewalls and the users/administrators of the servers.  First of all, no surfing or any internet activity should be allowed at the servers.  In other words, no one should be allowed to be in a position to get something from the internet and execute on the servers.  This is the ony way a virus can infect the servers.  This doesn't mean that the virus can not reside on the server!  It will not infect the server that is all.  On the other hand, the user workstations may get infected if the users get their hands on the virus contaminated file(s)!
Since I don't know the level of your knowledge in this arena, I don't want to go too much in detail but if you have any questions, get back to me, I will gladly explain further in detail.
DMZ; that is tricky.  I didn't go through  the comments but and I think DaveHowe is talking about it.  DMZ is a zone where usually the Internet servers are positioned.  This means that the DMZ is a place where the security is not as good as your internal LAN but not as insecure as the Internet.  Some setups have 2 firewalls, one for the DMZ and one for the Lan but what I am used to is AIX Firewall and some other systems like the old NEC firewalls with 3 interfaces (Usually NICs).  I don't know what you mean by "one Internet user on DMZ" but DMZ access for a hecker is better than most other ways to try to break in to your network because DMZ to your firewall or LAN is a half trusted zone in contrast to your Internet zone.

Experience in setting up firewall is better than any book or manual!  If too much is at stake, you should get an expert on the subject I think!

Good luck

Huseyin K.

very good job so far!
that exactly what any CISSP would do.
now you should beef up the security and customize it to specific usage needs on the network.

to do this i would start by implementing an IDS to compliment the DMZ. the DMZ can be a single point of failure, maybe a padded cell system would be the best with your IDS to prevent complete lockout. it also will be very helpfull with providing tangible evidence incase of legal issues.

oh an try to stay up to date withe latest security patches... i cant count the number of times super robust networks have been clobbered by a simple exploit that had a patch available.
as a matter of fact that super slammer worm is a great example, that even caused airplane flight cancellations!
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.