• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 160
  • Last Modified:

Best secuirty config

Currently we have two webservers (3 sites) and Pound (linux redirector) in our dmz with pinholes allowing the webservers access to our database.  Is this the best/most secure way to have this setup, or would it be better to have pound only in the dmz, with pinholes thru to the webservers?  Is there another way we should be configuring our network?
Our webservers run Apache with PHP5.
  • 2
  • 2
1 Solution
The advantage of having your redirector in a seperate dmz is that once the redictor is comprimed they have limited access to your webservers.
Now if you webservers have only port 80 open then the seperate dmz has little value. But
Now it is up to you if you have the hardware to do it then do it. THe security increase is littly but every little step you take will make it more secure.
If you have 2 lines of firewalls I would have:

On the exterior firewall a DMZ with your redirector and a DMZ with the actual webservers. All webservers are unaccessble unless traffic comes from the redirector.
ON the inside firewalls I would create a DMZ for your database servers these can only be accessed from the 3 webservers.
maundedAuthor Commented:
We only have one firewall, port 80 is being forwarded to the redirector in the dmz, then the redirector is forwarding based on host header.  We have 22 open on the web servers (along with 80) also so I can do admin stuff on them from the LAN, but 22 isnt forwarding on the firewall, and they are the only ports that are open on the webservers.
From the dmz to the lan only the 2 webservers have access thru 1433 to the databases.
Does this sound secure?  Whats the advantage of having 2 firewalls over our current config?
That you have 2 lines of defense this is useful if you use 2 different brands of firewalls.
ON the outside PIX (CISCO) on the inside (checkpoint) for example.
This means that if a bug exists in one of the brands it cannot be used to access the LAN easely.
maundedAuthor Commented:
I see your point, and since no-one else attempted to answer, point to you!
Thanks bloemkool1980
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now