Should I move our web server to the DMZ?

Currently we are running a web server on a Windows XP Pro PC behind our firewall. It is currently running apache and mysql to support our sites. Our current network configuration is  

internet ->router->Pix 515e->switch-> file servers, web server, exchange server, pcs, etc...

I am thinking about purchasing the dmz addin card for the Cisco Pix and putting the web servers in the dmz. Would this be ideal or is there a better configuration? Also, would a Watchguard X500 or X700 be more beneficial to me than the Pix?
Who is Participating?
Any machines that can be connected to from the internet should be in a DMZ separate from your internal network.

Ideally machines in the DMZ should not be able to connect into your internal network, and access from the internal network into the DMZ should be strictly controlled.

In addition to web servers things like web mail etc would also usually reside in a DMZ.

With more complex networks it is not uncommon to have several DMZ's.

I can't comment on the pro's and cons of watchguard vs pix and I have very little experience of pix.  I have used a couple of watchguards in similar installations to that which you describe and they were reliable and easy to manage.


If the web server is only accessed internally then there should not be any problems with it being on the network.  However, if the web server can be accessed externally then I would move it to the DMZ quickly.

I have used Watchguards in the past and they are solid firewalls and easy to configure and maintain.  I do not have that much experience with Cisco Pixs, but I am sure someone else can comment on the two.  Any reason for looking at another product?
I agree with Nzarth.

I currently have a watchgaurd X500 and it's nice because you can have the webserver on a DMZ by itself (not on your network or on your network) and can sleep at night. Watchgaurds are very granular in that you can specify what and what not it should allow through the 'optional' DMZ port, as well as other ports. Also, watchgaurds can stop viruses at the gates totally. If you run email, this is a VERY nice feature to have, considering most viruses come in thru email. I can't speak for PIX either (can it do that?). The new UTM (unified Threat Management....antivirus, antispam, intrustion dection preventions....ect..) machines like the X500 are really a cool device to have on your network.

Hope this helps
I would agree to everyone, shift your Web server to DMZ.

I am using PIX 515e with DMZ.

I find it easy to maintain DMZ from single point. If you install watchguard, then will you replace your existing PIX.
If not then add DMZ module on PIX.

I cannot compare watchguard with PIX as I have very less exp. with watchguard. But as far as PIX stand, its a very solid firewall.

One advantage I see using DMZ module in existing PIX is that you can manage your DMZ, Internal and External network from single consle. If you install watchguard you have a different console for DMZ.

So if you want to configure rule from DMZ to internal, you had to do it on two seperate firewalls.

That the only point I can think of.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.