Web Server behind Firewall used for Intranet and Extranet

I would like to get some feedback about possible security concerns with my proposal...

Server Config: RedHat 9.0, Apache 2.0, PHP 4.2.2, MySQL 3.23.52
Firewall: WatchGuard, forwarding port 80 to this server
Applications: phpMyAdmin, Mambo Open Source?, Custom Reports and XML outputs to be imported into Accounting System (Windows 2000 Server)

Three examples of the how this will be used:
1 - A user comes fills out a Purchase Order Form on our site and an XML file is produced and imported into our Accounting System.
2 - Our accounting system produces monthly reports that will be published on line for specific users to view.
3 - New projects will be added to the database by internal staff which will produce and XML file used for setting up the project in the Accounting System.  As well modifications may be made by the external owner of the project and these changes will need to be imported into the our system.

Needless to say I will be storing a lot of sensitive information in my MySql database.  Some of which I want external public users to be able to see.  Other information I want to make accessible to external private users as well as give them the ability to edit the information.  Finally internal users will have access to the most information, this information will be need to be transferred to our windows server.

My main concerns are:
- Network vulnerabilities by opening port 80
- Server security, how to ensure external users don't access private information
- Exploiting holes in any of the above technologies
- Probably a stupid question but would Mambo security suffice for securing data?

- Should I just host this server remotely?
- Should I put it in a DMZ?
- Recommendations
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Provided that you religously keep your RH 9 system up to date w/respect to the RedHat 9 errata there's no inherit risk, server wise, of exposing the system to only HTTP requests. However, that doesn't mean that your application code can be negelected. The most likely means of exposing more than you want to would arise from poorly designed or implemented web applications. Given that you'll have data stored in a MySQL database, some of which you would never want outsiders to see I'd use a second system as the MySQL DB server. And I'd design the application(s) to use more than one database. Only "publically viewable" data would be in one or more databases and private data in others. The web server would only have access to the "public data" and internal users would have access to the rest.

Also keep in mind that this server is only as secure as the rest of the machines on your network are. If you have other systems that have Internet access and that might be compromised they could be used to successfully attack this server(s). At the least I'd install & run Tripwire to detect unauthorized modifications and I'd set up a host based firewall on the linux server(s) that only allows inbound connections on 80/TCP and ssh from "known secure"internal machines. Along with that I'd severly limit the number of folks that have direct (non web) access to the server(s). For the best security this system(s) and any that have ssh access should be located in rooms that are locked when a responsible user isn't present.

Also keep in mind that support for RedHat 9 will end in April 2004. You'd be well advised to swith to RedHat Enterprise Linux 3.0 ES for this application as it will have a 5 year service life. See the RedHat site for more information.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
as jlevie said: if there is private sensitive data somewhere, keep it away from any application accessable via internet.
If you have more than one (web-)application using your MySQL, each of them might be used to get unauthorised access.
My aproach is to have copies/extracts of an database be copied to the external server for internet access.
Run also the http://bastille-linux.org/ program to harden the security on your box.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.