Should I move our web server to the DMZ?

Posted on 2006-06-06
Medium Priority
Last Modified: 2013-11-16
Currently we are running a web server on a Windows XP Pro PC behind our firewall. It is currently running apache and mysql to support our sites. Our current network configuration is  

internet ->router->Pix 515e->switch-> file servers, web server, exchange server, pcs, etc...

I am thinking about purchasing the dmz addin card for the Cisco Pix and putting the web servers in the dmz. Would this be ideal or is there a better configuration? Also, would a Watchguard X500 or X700 be more beneficial to me than the Pix?
Question by:quahitis

Assisted Solution

Nzarth earned 400 total points
ID: 16849709
If the web server is only accessed internally then there should not be any problems with it being on the network.  However, if the web server can be accessed externally then I would move it to the DMZ quickly.

I have used Watchguards in the past and they are solid firewalls and easy to configure and maintain.  I do not have that much experience with Cisco Pixs, but I am sure someone else can comment on the two.  Any reason for looking at another product?
LVL 12

Assisted Solution

NetAdmin2436 earned 400 total points
ID: 16849827
I agree with Nzarth.

I currently have a watchgaurd X500 and it's nice because you can have the webserver on a DMZ by itself (not on your network or on your network) and can sleep at night. Watchgaurds are very granular in that you can specify what and what not it should allow through the 'optional' DMZ port, as well as other ports. Also, watchgaurds can stop viruses at the gates totally. If you run email, this is a VERY nice feature to have, considering most viruses come in thru email. I can't speak for PIX either (can it do that?). The new UTM (unified Threat Management....antivirus, antispam, intrustion dection preventions....ect..) machines like the X500 are really a cool device to have on your network.

Hope this helps

Accepted Solution

kevinf40 earned 800 total points
ID: 16850286
Any machines that can be connected to from the internet should be in a DMZ separate from your internal network.

Ideally machines in the DMZ should not be able to connect into your internal network, and access from the internal network into the DMZ should be strictly controlled.

In addition to web servers things like web mail etc would also usually reside in a DMZ.

With more complex networks it is not uncommon to have several DMZ's.

I can't comment on the pro's and cons of watchguard vs pix and I have very little experience of pix.  I have used a couple of watchguards in similar installations to that which you describe and they were reliable and easy to manage.


LVL 13

Assisted Solution

prashsax earned 400 total points
ID: 16850977
I would agree to everyone, shift your Web server to DMZ.

I am using PIX 515e with DMZ.

I find it easy to maintain DMZ from single point. If you install watchguard, then will you replace your existing PIX.
If not then add DMZ module on PIX.

I cannot compare watchguard with PIX as I have very less exp. with watchguard. But as far as PIX stand, its a very solid firewall.

One advantage I see using DMZ module in existing PIX is that you can manage your DMZ, Internal and External network from single consle. If you install watchguard you have a different console for DMZ.

So if you want to configure rule from DMZ to internal, you had to do it on two seperate firewalls.

That the only point I can think of.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question