Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best secuirty config

Posted on 2004-08-30
4
Medium Priority
?
157 Views
Last Modified: 2010-04-22
Currently we have two webservers (3 sites) and Pound (linux redirector) in our dmz with pinholes allowing the webservers access to our database.  Is this the best/most secure way to have this setup, or would it be better to have pound only in the dmz, with pinholes thru to the webservers?  Is there another way we should be configuring our network?
Our webservers run Apache with PHP5.
Thanks
D.
0
Comment
Question by:maunded
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11930063
The advantage of having your redirector in a seperate dmz is that once the redictor is comprimed they have limited access to your webservers.
Now if you webservers have only port 80 open then the seperate dmz has little value. But
Now it is up to you if you have the hardware to do it then do it. THe security increase is littly but every little step you take will make it more secure.
If you have 2 lines of firewalls I would have:

On the exterior firewall a DMZ with your redirector and a DMZ with the actual webservers. All webservers are unaccessble unless traffic comes from the redirector.
ON the inside firewalls I would create a DMZ for your database servers these can only be accessed from the 3 webservers.
0
 
LVL 1

Author Comment

by:maunded
ID: 11936683
We only have one firewall, port 80 is being forwarded to the redirector in the dmz, then the redirector is forwarding based on host header.  We have 22 open on the web servers (along with 80) also so I can do admin stuff on them from the LAN, but 22 isnt forwarding on the firewall, and they are the only ports that are open on the webservers.
From the dmz to the lan only the 2 webservers have access thru 1433 to the databases.
Does this sound secure?  Whats the advantage of having 2 firewalls over our current config?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 750 total points
ID: 11939155
That you have 2 lines of defense this is useful if you use 2 different brands of firewalls.
ON the outside PIX (CISCO) on the inside (checkpoint) for example.
This means that if a bug exists in one of the brands it cannot be used to access the LAN easely.
0
 
LVL 1

Author Comment

by:maunded
ID: 11961843
I see your point, and since no-one else attempted to answer, point to you!
Thanks bloemkool1980
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Integration Management Part 2

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question