Web Server behind Firewall used for Intranet and Extranet

Posted on 2003-11-13
Last Modified: 2010-04-22
I would like to get some feedback about possible security concerns with my proposal...

Server Config: RedHat 9.0, Apache 2.0, PHP 4.2.2, MySQL 3.23.52
Firewall: WatchGuard, forwarding port 80 to this server
Applications: phpMyAdmin, Mambo Open Source?, Custom Reports and XML outputs to be imported into Accounting System (Windows 2000 Server)

Three examples of the how this will be used:
1 - A user comes fills out a Purchase Order Form on our site and an XML file is produced and imported into our Accounting System.
2 - Our accounting system produces monthly reports that will be published on line for specific users to view.
3 - New projects will be added to the database by internal staff which will produce and XML file used for setting up the project in the Accounting System.  As well modifications may be made by the external owner of the project and these changes will need to be imported into the our system.

Needless to say I will be storing a lot of sensitive information in my MySql database.  Some of which I want external public users to be able to see.  Other information I want to make accessible to external private users as well as give them the ability to edit the information.  Finally internal users will have access to the most information, this information will be need to be transferred to our windows server.

My main concerns are:
- Network vulnerabilities by opening port 80
- Server security, how to ensure external users don't access private information
- Exploiting holes in any of the above technologies
- Probably a stupid question but would Mambo security suffice for securing data?

- Should I just host this server remotely?
- Should I put it in a DMZ?
- Recommendations
Question by:hibbits
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

jlevie earned 250 total points
ID: 9745453
Provided that you religously keep your RH 9 system up to date w/respect to the RedHat 9 errata there's no inherit risk, server wise, of exposing the system to only HTTP requests. However, that doesn't mean that your application code can be negelected. The most likely means of exposing more than you want to would arise from poorly designed or implemented web applications. Given that you'll have data stored in a MySQL database, some of which you would never want outsiders to see I'd use a second system as the MySQL DB server. And I'd design the application(s) to use more than one database. Only "publically viewable" data would be in one or more databases and private data in others. The web server would only have access to the "public data" and internal users would have access to the rest.

Also keep in mind that this server is only as secure as the rest of the machines on your network are. If you have other systems that have Internet access and that might be compromised they could be used to successfully attack this server(s). At the least I'd install & run Tripwire to detect unauthorized modifications and I'd set up a host based firewall on the linux server(s) that only allows inbound connections on 80/TCP and ssh from "known secure"internal machines. Along with that I'd severly limit the number of folks that have direct (non web) access to the server(s). For the best security this system(s) and any that have ssh access should be located in rooms that are locked when a responsible user isn't present.

Also keep in mind that support for RedHat 9 will end in April 2004. You'd be well advised to swith to RedHat Enterprise Linux 3.0 ES for this application as it will have a 5 year service life. See the RedHat site for more information.
LVL 51

Expert Comment

ID: 9749724
as jlevie said: if there is private sensitive data somewhere, keep it away from any application accessable via internet.
If you have more than one (web-)application using your MySQL, each of them might be used to get unauthorised access.
My aproach is to have copies/extracts of an database be copied to the external server for internet access.

Expert Comment

ID: 9945314
Run also the program to harden the security on your box.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Linux  : how to view CPU info and  its usage details 7 262
vsftp -- 553 could not create file 5 465
Best software based IDS? 5 133
Need help setting up kerberos 2 40
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question