Web Server behind Firewall used for Intranet and Extranet

Posted on 2003-11-13
Last Modified: 2010-04-22
I would like to get some feedback about possible security concerns with my proposal...

Server Config: RedHat 9.0, Apache 2.0, PHP 4.2.2, MySQL 3.23.52
Firewall: WatchGuard, forwarding port 80 to this server
Applications: phpMyAdmin, Mambo Open Source?, Custom Reports and XML outputs to be imported into Accounting System (Windows 2000 Server)

Three examples of the how this will be used:
1 - A user comes fills out a Purchase Order Form on our site and an XML file is produced and imported into our Accounting System.
2 - Our accounting system produces monthly reports that will be published on line for specific users to view.
3 - New projects will be added to the database by internal staff which will produce and XML file used for setting up the project in the Accounting System.  As well modifications may be made by the external owner of the project and these changes will need to be imported into the our system.

Needless to say I will be storing a lot of sensitive information in my MySql database.  Some of which I want external public users to be able to see.  Other information I want to make accessible to external private users as well as give them the ability to edit the information.  Finally internal users will have access to the most information, this information will be need to be transferred to our windows server.

My main concerns are:
- Network vulnerabilities by opening port 80
- Server security, how to ensure external users don't access private information
- Exploiting holes in any of the above technologies
- Probably a stupid question but would Mambo security suffice for securing data?

- Should I just host this server remotely?
- Should I put it in a DMZ?
- Recommendations
Question by:hibbits
LVL 40

Accepted Solution

jlevie earned 250 total points
ID: 9745453
Provided that you religously keep your RH 9 system up to date w/respect to the RedHat 9 errata there's no inherit risk, server wise, of exposing the system to only HTTP requests. However, that doesn't mean that your application code can be negelected. The most likely means of exposing more than you want to would arise from poorly designed or implemented web applications. Given that you'll have data stored in a MySQL database, some of which you would never want outsiders to see I'd use a second system as the MySQL DB server. And I'd design the application(s) to use more than one database. Only "publically viewable" data would be in one or more databases and private data in others. The web server would only have access to the "public data" and internal users would have access to the rest.

Also keep in mind that this server is only as secure as the rest of the machines on your network are. If you have other systems that have Internet access and that might be compromised they could be used to successfully attack this server(s). At the least I'd install & run Tripwire to detect unauthorized modifications and I'd set up a host based firewall on the linux server(s) that only allows inbound connections on 80/TCP and ssh from "known secure"internal machines. Along with that I'd severly limit the number of folks that have direct (non web) access to the server(s). For the best security this system(s) and any that have ssh access should be located in rooms that are locked when a responsible user isn't present.

Also keep in mind that support for RedHat 9 will end in April 2004. You'd be well advised to swith to RedHat Enterprise Linux 3.0 ES for this application as it will have a 5 year service life. See the RedHat site for more information.
LVL 51

Expert Comment

ID: 9749724
as jlevie said: if there is private sensitive data somewhere, keep it away from any application accessable via internet.
If you have more than one (web-)application using your MySQL, each of them might be used to get unauthorised access.
My aproach is to have copies/extracts of an database be copied to the external server for internet access.

Expert Comment

ID: 9945314
Run also the program to harden the security on your box.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In a recent question ( here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question