asked on

DMZ vs Reverse Proxy

In the past, our company has had our web site hosted off site. We are in the process of setting up a web server in house and doing our own hosting. We are having an internal disagreement about the value of having a DMZ vs. using a reverse proxy.

One school of thought is to set up the web server and the database server inside a DMZ. The other is to put the web server inside the LAN and protect it by using reverse proxy and to use the existing production DB server as the web DB server.

We will be running IIS, SQL Server, and use BorderManager as our firewall.

Any input will be greatly appreciated.

Thanks in advance,
HawkeyeNash

bloemkool1980

Hi hawkeye
I suggest a combination of the 2. I would put a reverse proxy in a dmz. This DMZ I will call DMZ-Public.
DMZ-Public is the only DMZ that can be accessed directly from outside, well passing the firewall ofcourse.
Then I would place the Webserver another DMZ called DMZ-Webserver, and if you do not have enough network cards or whatever you could put the DB server in the same DMZ as your web server but if possible I would put in another DMZ or internal. Because you run IIS I highly recommend putting a reverse proxy and seperate the machine from your LAN.
WHy :
Well if you do my proposition your traffic is filtered inbound and outbound. Meaning that traffic from your reverse proxy to your webserver is filtered by Firewall and traffic from that webserver to your DB too if you place the DB in another DMZ.
Rule of thumb is never give directly or indirectly access from outside to a LAN machine this is dangerous and every security minded IT'er would agree.
It maybe sounds paranoiac but one never can be cautious enough.
You can have a cheap reverse proxy with apache webserver by enabling reverse proxy mode.

ASKER CERTIFIED SOLUTION

pfftdives

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial