Webserver location in respect to data being stored... SSL/ DMZ?

Posted on 2007-07-25
Last Modified: 2009-07-29
We have a company product management solution that stores sensative customer information and compnay senstative information.  The box is also to provide portal access via browsers to customers, allowing them to log and look up their calls, etc.  We originally did not put this box in a DMZ b/c it had to be joined to our internal domain and b/c had sensative information.  We are at the phase where we need to publish the portal as a website(IIS is on the box) in order for customers and remote employees to gain access to the portal.   I am trying to figure out the best network configuration(location) for this box.   Yes the box is running IIS, has a published www site, ftp, and virtual SMTP and SQL 2005 as the databse store for the management product.  The box is presently located within our LAN behind our firewall.

1. My plan is to just leave it within the network and implmenent SSL for access via https.

Any other ideas/recommendations?
Question by:dee30
    LVL 2

    Expert Comment

    Use Https and make sure the server has a local firewall that you can lock down to only the most essential services.  The other option would be to split the database and the web app to separate boxes.  DMZ the web app and create specific rules in the firewall to only allow traffic from the DMZ machine to the database on the specific ports you need.  While this might not prevent the Web App Server from being compromised if some security flaw was discovered it would better shield the database from being compromised.  Just remember when you have a server with multiple functions that if one function is comprised it's likely that the other one doesn't have to be in order to lose data.

    Author Comment

    Yes, you woul think the manufacturers of the product would have had that latter style of implementation as an option, separating the database from the webserver as you mentioned, which would enable you to properly place a webserver out in a dmz and keep your data(sql database) more secure and within the lan we're you'd want b/c of what it's storing.  BUT NO, three years they're requirements was one box for everything, a cloke and dagger install and NO OPIONION or INSIGHTS when asked best practices and how their customers are dealing with delploying a webserver with sensative customer and internal data within their network scheme.  I'm sure you can sense my irritation when I remember how this all went down.  

    Anywy, please clarify what you mean by local firewall.  I'm assuming your'e saying in addition to my firewall that the lan sits down to also implment a local firewlall (sw?) on the box itself?  I think I'm just going to go with the SSL route.


    LVL 2

    Accepted Solution

    The SSL route is the way to go.  You should only need a port forward for the web/ssl traffic and just make sure IIS and windows are patched.  It does suck that you can't separate the database from the web app portion.  I'm sure you already know but make sure you buy an actual certificate.  Don't self-sign one because you are dealing with sensitive data; man in the middle attacks against ssl encrypted websites are easy when the users are used to agreeing with the security warnings the browser will give when dealing with unverified certificates.  Good luck!


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now