Should I move our web server to the DMZ?

Posted on 2006-06-06
Last Modified: 2013-11-16
Currently we are running a web server on a Windows XP Pro PC behind our firewall. It is currently running apache and mysql to support our sites. Our current network configuration is  

internet ->router->Pix 515e->switch-> file servers, web server, exchange server, pcs, etc...

I am thinking about purchasing the dmz addin card for the Cisco Pix and putting the web servers in the dmz. Would this be ideal or is there a better configuration? Also, would a Watchguard X500 or X700 be more beneficial to me than the Pix?
Question by:quahitis
    LVL 6

    Assisted Solution

    If the web server is only accessed internally then there should not be any problems with it being on the network.  However, if the web server can be accessed externally then I would move it to the DMZ quickly.

    I have used Watchguards in the past and they are solid firewalls and easy to configure and maintain.  I do not have that much experience with Cisco Pixs, but I am sure someone else can comment on the two.  Any reason for looking at another product?
    LVL 12

    Assisted Solution

    I agree with Nzarth.

    I currently have a watchgaurd X500 and it's nice because you can have the webserver on a DMZ by itself (not on your network or on your network) and can sleep at night. Watchgaurds are very granular in that you can specify what and what not it should allow through the 'optional' DMZ port, as well as other ports. Also, watchgaurds can stop viruses at the gates totally. If you run email, this is a VERY nice feature to have, considering most viruses come in thru email. I can't speak for PIX either (can it do that?). The new UTM (unified Threat Management....antivirus, antispam, intrustion dection preventions....ect..) machines like the X500 are really a cool device to have on your network.

    Hope this helps
    LVL 5

    Accepted Solution

    Any machines that can be connected to from the internet should be in a DMZ separate from your internal network.

    Ideally machines in the DMZ should not be able to connect into your internal network, and access from the internal network into the DMZ should be strictly controlled.

    In addition to web servers things like web mail etc would also usually reside in a DMZ.

    With more complex networks it is not uncommon to have several DMZ's.

    I can't comment on the pro's and cons of watchguard vs pix and I have very little experience of pix.  I have used a couple of watchguards in similar installations to that which you describe and they were reliable and easy to manage.


    LVL 13

    Assisted Solution

    I would agree to everyone, shift your Web server to DMZ.

    I am using PIX 515e with DMZ.

    I find it easy to maintain DMZ from single point. If you install watchguard, then will you replace your existing PIX.
    If not then add DMZ module on PIX.

    I cannot compare watchguard with PIX as I have very less exp. with watchguard. But as far as PIX stand, its a very solid firewall.

    One advantage I see using DMZ module in existing PIX is that you can manage your DMZ, Internal and External network from single consle. If you install watchguard you have a different console for DMZ.

    So if you want to configure rule from DMZ to internal, you had to do it on two seperate firewalls.

    That the only point I can think of.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now