• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 488
  • Last Modified:

Webserver location in respect to data being stored... SSL/ DMZ?

We have a company product management solution that stores sensative customer information and compnay senstative information.  The box is also to provide portal access via browsers to customers, allowing them to log and look up their calls, etc.  We originally did not put this box in a DMZ b/c it had to be joined to our internal domain and b/c had sensative information.  We are at the phase where we need to publish the portal as a website(IIS is on the box) in order for customers and remote employees to gain access to the portal.   I am trying to figure out the best network configuration(location) for this box.   Yes the box is running IIS, has a published www site, ftp, and virtual SMTP and SQL 2005 as the databse store for the management product.  The box is presently located within our LAN behind our firewall.

1. My plan is to just leave it within the network and implmenent SSL for access via https.

Any other ideas/recommendations?
0
dee30
Asked:
dee30
  • 2
1 Solution
 
NickGT20Commented:
Use Https and make sure the server has a local firewall that you can lock down to only the most essential services.  The other option would be to split the database and the web app to separate boxes.  DMZ the web app and create specific rules in the firewall to only allow traffic from the DMZ machine to the database on the specific ports you need.  While this might not prevent the Web App Server from being compromised if some security flaw was discovered it would better shield the database from being compromised.  Just remember when you have a server with multiple functions that if one function is comprised it's likely that the other one doesn't have to be in order to lose data.
0
 
dee30Author Commented:
Yes, you woul think the manufacturers of the product would have had that latter style of implementation as an option, separating the database from the webserver as you mentioned, which would enable you to properly place a webserver out in a dmz and keep your data(sql database) more secure and within the lan we're you'd want b/c of what it's storing.  BUT NO, three years they're requirements was one box for everything, a cloke and dagger install and NO OPIONION or INSIGHTS when asked best practices and how their customers are dealing with delploying a webserver with sensative customer and internal data within their network scheme.  I'm sure you can sense my irritation when I remember how this all went down.  

Anywy, please clarify what you mean by local firewall.  I'm assuming your'e saying in addition to my firewall that the lan sits down to also implment a local firewlall (sw?) on the box itself?  I think I'm just going to go with the SSL route.

Thanks

dee30
0
 
NickGT20Commented:
The SSL route is the way to go.  You should only need a port forward for the web/ssl traffic and just make sure IIS and windows are patched.  It does suck that you can't separate the database from the web app portion.  I'm sure you already know but make sure you buy an actual certificate.  Don't self-sign one because you are dealing with sensitive data; man in the middle attacks against ssl encrypted websites are easy when the users are used to agreeing with the security warnings the browser will give when dealing with unverified certificates.  Good luck!

Nick
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now