Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Web Server behind Firewall used for Intranet and Extranet

Posted on 2003-11-13
Medium Priority
Last Modified: 2010-04-22
I would like to get some feedback about possible security concerns with my proposal...

Server Config: RedHat 9.0, Apache 2.0, PHP 4.2.2, MySQL 3.23.52
Firewall: WatchGuard, forwarding port 80 to this server
Applications: phpMyAdmin, Mambo Open Source?, Custom Reports and XML outputs to be imported into Accounting System (Windows 2000 Server)

Three examples of the how this will be used:
1 - A user comes fills out a Purchase Order Form on our site and an XML file is produced and imported into our Accounting System.
2 - Our accounting system produces monthly reports that will be published on line for specific users to view.
3 - New projects will be added to the database by internal staff which will produce and XML file used for setting up the project in the Accounting System.  As well modifications may be made by the external owner of the project and these changes will need to be imported into the our system.

Needless to say I will be storing a lot of sensitive information in my MySql database.  Some of which I want external public users to be able to see.  Other information I want to make accessible to external private users as well as give them the ability to edit the information.  Finally internal users will have access to the most information, this information will be need to be transferred to our windows server.

My main concerns are:
- Network vulnerabilities by opening port 80
- Server security, how to ensure external users don't access private information
- Exploiting holes in any of the above technologies
- Probably a stupid question but would Mambo security suffice for securing data?

- Should I just host this server remotely?
- Should I put it in a DMZ?
- Recommendations
Question by:hibbits
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

jlevie earned 1000 total points
ID: 9745453
Provided that you religously keep your RH 9 system up to date w/respect to the RedHat 9 errata there's no inherit risk, server wise, of exposing the system to only HTTP requests. However, that doesn't mean that your application code can be negelected. The most likely means of exposing more than you want to would arise from poorly designed or implemented web applications. Given that you'll have data stored in a MySQL database, some of which you would never want outsiders to see I'd use a second system as the MySQL DB server. And I'd design the application(s) to use more than one database. Only "publically viewable" data would be in one or more databases and private data in others. The web server would only have access to the "public data" and internal users would have access to the rest.

Also keep in mind that this server is only as secure as the rest of the machines on your network are. If you have other systems that have Internet access and that might be compromised they could be used to successfully attack this server(s). At the least I'd install & run Tripwire to detect unauthorized modifications and I'd set up a host based firewall on the linux server(s) that only allows inbound connections on 80/TCP and ssh from "known secure"internal machines. Along with that I'd severly limit the number of folks that have direct (non web) access to the server(s). For the best security this system(s) and any that have ssh access should be located in rooms that are locked when a responsible user isn't present.

Also keep in mind that support for RedHat 9 will end in April 2004. You'd be well advised to swith to RedHat Enterprise Linux 3.0 ES for this application as it will have a 5 year service life. See the RedHat site for more information.
LVL 51

Expert Comment

ID: 9749724
as jlevie said: if there is private sensitive data somewhere, keep it away from any application accessable via internet.
If you have more than one (web-)application using your MySQL, each of them might be used to get unauthorised access.
My aproach is to have copies/extracts of an database be copied to the external server for internet access.

Expert Comment

ID: 9945314
Run also the http://bastille-linux.org/ program to harden the security on your box.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question