?
Solved

Best secuirty config

Posted on 2004-08-30
4
Medium Priority
?
155 Views
Last Modified: 2010-04-22
Currently we have two webservers (3 sites) and Pound (linux redirector) in our dmz with pinholes allowing the webservers access to our database.  Is this the best/most secure way to have this setup, or would it be better to have pound only in the dmz, with pinholes thru to the webservers?  Is there another way we should be configuring our network?
Our webservers run Apache with PHP5.
Thanks
D.
0
Comment
Question by:maunded
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11930063
The advantage of having your redirector in a seperate dmz is that once the redictor is comprimed they have limited access to your webservers.
Now if you webservers have only port 80 open then the seperate dmz has little value. But
Now it is up to you if you have the hardware to do it then do it. THe security increase is littly but every little step you take will make it more secure.
If you have 2 lines of firewalls I would have:

On the exterior firewall a DMZ with your redirector and a DMZ with the actual webservers. All webservers are unaccessble unless traffic comes from the redirector.
ON the inside firewalls I would create a DMZ for your database servers these can only be accessed from the 3 webservers.
0
 
LVL 1

Author Comment

by:maunded
ID: 11936683
We only have one firewall, port 80 is being forwarded to the redirector in the dmz, then the redirector is forwarding based on host header.  We have 22 open on the web servers (along with 80) also so I can do admin stuff on them from the LAN, but 22 isnt forwarding on the firewall, and they are the only ports that are open on the webservers.
From the dmz to the lan only the 2 webservers have access thru 1433 to the databases.
Does this sound secure?  Whats the advantage of having 2 firewalls over our current config?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 750 total points
ID: 11939155
That you have 2 lines of defense this is useful if you use 2 different brands of firewalls.
ON the outside PIX (CISCO) on the inside (checkpoint) for example.
This means that if a bug exists in one of the brands it cannot be used to access the LAN easely.
0
 
LVL 1

Author Comment

by:maunded
ID: 11961843
I see your point, and since no-one else attempted to answer, point to you!
Thanks bloemkool1980
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question