Link to home
Start Free TrialLog in
Avatar of maunded
maunded

asked on

Best secuirty config

Currently we have two webservers (3 sites) and Pound (linux redirector) in our dmz with pinholes allowing the webservers access to our database.  Is this the best/most secure way to have this setup, or would it be better to have pound only in the dmz, with pinholes thru to the webservers?  Is there another way we should be configuring our network?
Our webservers run Apache with PHP5.
Thanks
D.
Avatar of bloemkool1980
bloemkool1980

The advantage of having your redirector in a seperate dmz is that once the redictor is comprimed they have limited access to your webservers.
Now if you webservers have only port 80 open then the seperate dmz has little value. But
Now it is up to you if you have the hardware to do it then do it. THe security increase is littly but every little step you take will make it more secure.
If you have 2 lines of firewalls I would have:

On the exterior firewall a DMZ with your redirector and a DMZ with the actual webservers. All webservers are unaccessble unless traffic comes from the redirector.
ON the inside firewalls I would create a DMZ for your database servers these can only be accessed from the 3 webservers.
Avatar of maunded

ASKER

We only have one firewall, port 80 is being forwarded to the redirector in the dmz, then the redirector is forwarding based on host header.  We have 22 open on the web servers (along with 80) also so I can do admin stuff on them from the LAN, but 22 isnt forwarding on the firewall, and they are the only ports that are open on the webservers.
From the dmz to the lan only the 2 webservers have access thru 1433 to the databases.
Does this sound secure?  Whats the advantage of having 2 firewalls over our current config?
ASKER CERTIFIED SOLUTION
Avatar of bloemkool1980
bloemkool1980

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maunded

ASKER

I see your point, and since no-one else attempted to answer, point to you!
Thanks bloemkool1980