Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Farm of servers connected to internet behind firewall security risk

Posted on 2003-02-24
Medium Priority
Last Modified: 2013-11-16
As a security wise, what is the risk on farm of servers(database or application)UNIX or MicroSoft OS,if i connect them to internet behind firewall (PIX OR ELSE) on internal interface,with access-list deny all traffic from anywhere except one internet user on dmz,what about viruses,worms..etc???is there any advice or recomendation to do ?????what can i do on the main point access (internet router) as a first step for defense ????
Question by:Fact
LVL 33

Accepted Solution

Dave Howe earned 112 total points
ID: 8007844
This sounds very much like best practice. The normal design of a base dmz setup is a single firewall, with one "external" internet facing interface, one "internal" lan facing interface, and one "dmz" server farm interface. you should allow inbound from the internet only those protocols you are supporting on the servers; you should allow outbound only what is required (ftp can often be "smart" handled by the firwall) and you should be only marginally more trusting of dmz hosts than the internet itself
If you run NT, do *not* split a domain across the two - make a separate domain for any nt boxen in the dmz, and set up a trust relationship. lock down on RPC to a small range of channels, allow dmz hosts read only access to selected portions of lan hosts, build a separate dir that dmz hosts have write access to (one per dmz host, not the main shared dir) and where possible, use MTS to run components on the lan rather than opening additional ports per service.
If you run unix (and solaris+apache is probably the best combo out there for webserving, provided your designers aren't addicted to activex components or asp) then don't allow remote mounts though the firewall, use ftp (or better yet, scp) to push or pull from the lan side to the dmz (rather than allowing inbound access) and if you must have an inbound command path, make it ssh running a custom binary (not a true shell), remove tunnel and sftp support, and if possible run it as its own dedicated sshd on a non-standard port, so that you don't ever have to change config on it to allow more liberal access from non-dmz hosts.

Assisted Solution

cococan earned 108 total points
ID: 8010689
Well, even though there is not enough ionformation here, I can say this in confidence that your security depends on the firewalls and the users/administrators of the servers.  First of all, no surfing or any internet activity should be allowed at the servers.  In other words, no one should be allowed to be in a position to get something from the internet and execute on the servers.  This is the ony way a virus can infect the servers.  This doesn't mean that the virus can not reside on the server!  It will not infect the server that is all.  On the other hand, the user workstations may get infected if the users get their hands on the virus contaminated file(s)!
Since I don't know the level of your knowledge in this arena, I don't want to go too much in detail but if you have any questions, get back to me, I will gladly explain further in detail.
DMZ; that is tricky.  I didn't go through  the comments but and I think DaveHowe is talking about it.  DMZ is a zone where usually the Internet servers are positioned.  This means that the DMZ is a place where the security is not as good as your internal LAN but not as insecure as the Internet.  Some setups have 2 firewalls, one for the DMZ and one for the Lan but what I am used to is AIX Firewall and some other systems like the old NEC firewalls with 3 interfaces (Usually NICs).  I don't know what you mean by "one Internet user on DMZ" but DMZ access for a hecker is better than most other ways to try to break in to your network because DMZ to your firewall or LAN is a half trusted zone in contrast to your Internet zone.

Experience in setting up firewall is better than any book or manual!  If too much is at stake, you should get an expert on the subject I think!

Good luck

Huseyin K.

Expert Comment

ID: 8013674

very good job so far!
that exactly what any CISSP would do.
now you should beef up the security and customize it to specific usage needs on the network.

to do this i would start by implementing an IDS to compliment the DMZ. the DMZ can be a single point of failure, maybe a padded cell system would be the best with your IDS to prevent complete lockout. it also will be very helpfull with providing tangible evidence incase of legal issues.

oh an try to stay up to date withe latest security patches... i cant count the number of times super robust networks have been clobbered by a simple exploit that had a patch available.
as a matter of fact that super slammer worm is a great example, that even caused airplane flight cancellations!

Expert Comment

ID: 9954204
This question has been classified as abandoned.  I will make a recommendation to the moderators on its resolution in approximately one week.  I would appreciate any comments by the experts that would help me in making a recommendation.

It is assumed that any participant not responding to this request is no longer interested in its final deposition.

If the asker does not know how to close the question, the options are here:

EE Page Editor

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Experts Exchange expands question security options for members.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question