Solved

Best secuirty config

Posted on 2004-08-30
4
151 Views
Last Modified: 2010-04-22
Currently we have two webservers (3 sites) and Pound (linux redirector) in our dmz with pinholes allowing the webservers access to our database.  Is this the best/most secure way to have this setup, or would it be better to have pound only in the dmz, with pinholes thru to the webservers?  Is there another way we should be configuring our network?
Our webservers run Apache with PHP5.
Thanks
D.
0
Comment
Question by:maunded
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11930063
The advantage of having your redirector in a seperate dmz is that once the redictor is comprimed they have limited access to your webservers.
Now if you webservers have only port 80 open then the seperate dmz has little value. But
Now it is up to you if you have the hardware to do it then do it. THe security increase is littly but every little step you take will make it more secure.
If you have 2 lines of firewalls I would have:

On the exterior firewall a DMZ with your redirector and a DMZ with the actual webservers. All webservers are unaccessble unless traffic comes from the redirector.
ON the inside firewalls I would create a DMZ for your database servers these can only be accessed from the 3 webservers.
0
 
LVL 1

Author Comment

by:maunded
ID: 11936683
We only have one firewall, port 80 is being forwarded to the redirector in the dmz, then the redirector is forwarding based on host header.  We have 22 open on the web servers (along with 80) also so I can do admin stuff on them from the LAN, but 22 isnt forwarding on the firewall, and they are the only ports that are open on the webservers.
From the dmz to the lan only the 2 webservers have access thru 1433 to the databases.
Does this sound secure?  Whats the advantage of having 2 firewalls over our current config?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 250 total points
ID: 11939155
That you have 2 lines of defense this is useful if you use 2 different brands of firewalls.
ON the outside PIX (CISCO) on the inside (checkpoint) for example.
This means that if a bug exists in one of the brands it cannot be used to access the LAN easely.
0
 
LVL 1

Author Comment

by:maunded
ID: 11961843
I see your point, and since no-one else attempted to answer, point to you!
Thanks bloemkool1980
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question