We help IT Professionals succeed at work.

Webserver and DMZ

1,161 Views
Last Modified: 2012-08-13
We are getting ready to open an online store for our company.  We need to be able to interface it with our back office ERP (Microsoft Dynamics GP).  Therefore we will need to host this box on our on network (as opposed to hosting with a webhost) so that the online store can link to the ERP.  

Now my question:  What do I need to do this?  I am assuming we will need to create a DMZ.  We have a firewall setup at our main HQ that acts as our firewall and VPN.  I do not think this firewall has a DMZ port, so what do I need.  Also, how do I make sure that everything is secure on the DMZ?

 I have read several articles on here that make the DMZ a little more clear, but I need some help with my exact application.  Here is what we currently have setup:

Internet -> ISP T1 Router -> Firewall / VPN -> Linksys Wireless Router -> Linksys Switch -> Corporate Network (i.e. servers, pcs, printers, etc.)

If we need to purchase new firewall what should we purchase.  I am not a big Cisco fan due me not knowing ACL.  Maybe you need some more information but we can start from here.  I look forward to your help.

Thanks,

Ron
Comment
Watch Question

Top Expert 2008

Commented:
dmz is technically /between/ two firewalls, but can be implemented as a third port (inside, outside, dmz) on a single unit.

Some entry level router solutions provide a dmz 'feature' where you enter the IP address of one server to be exposed to the internet.

these functions are not entirely secure, or even anything like a dmz in property at all!  (so do not use it if you router has this 'feature')

I'd recommend a new or additional firewall in your case if your existing device does not cut it.

I suggest that you consider a subnet of you current address to be used as a dnz (e.g. if your current network is 192.168.0.0/24, use 192.168.0.0/23 as the dmz subnet and 192.168.0.128/23 as the lan - or vice versa)

Then all you need to do is to manage rules that limit communication from the dmz to the lan addresses.

For a router solution, my honest opinion is mikrotik routerOS (www.mikrotik.com) for an excellent fully featured router/firewall solution at relatively low cost.

Cheers.
 

Commented:
Before you do anything, grab a copy of Smoothwall 3.0 from http://www.smoothwall.org/get/
and throw it onto an old system, read the manual first, however it is a s easy as. You will find that you can set your system up like this with it
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
Smoothwall do have Business class systems, you can track back to there corporate web site.
Smoothwall will allow you to set up your VPN, Firewall, and DMZ as you like all you do is set up routing through your firewall. Use 3 nics in the smoothwall, 1 for the inbound(red), 1 for your normal lan(Green) and then 1 for your DMZ/Web server(Orange or Purple). The Forum is a great place to get extra info from, however if you have worked with firewalls before you will find Smoothwall very user friendly.

Commented:
My .02 cents....

I would never put a web server fully open to the Internet in any fashion whether on the end of DMZ or HotLAN, or some direct IP connection.

My advice, IMHO, is to port forward from your firewall to your Web Servers internal IP. You will need at least port 80 (http) and 443 (https). This way your firewall can still inspect and stop other bad stuff hitting your web server.

I would also consider multi-homing, multiple nics in your web server and keeping IP subnets seperate. AT loeast use s different IP scheme for hookup to your ERP backends.

By the way, SMoothWall is an outstanding OpenSOurce firewall implementation and like ozwes007 states can be put on any old PC box you have lying around. 2 NICs will be needed, WAN and LAN.

Hope this helped a bit.

John

Author

Commented:
Thanks for all of your comments.  What is the traditional way to setup a webserver for public access?  Maybe that will give me a start.  Right now I still am not sure what to do.  Purchasing new hardware (firewall, new server, etc.) is not a problem if I need to.

Commented:
placing a web server on a dmz by itself though a firewall is accetable, as long as it is set up with the right security settins to suit, ie virtual directories etc. What web server are you going to use. I have used IIS and Apache and I  prefer Apache for security reasons, however either will work. Like I said, place it behind a smoothwall(free one or comercial one) which ever you prefer, and use 3 Nics with 2 seperate subnets, 1 for lan and 1 for webserver. Do use a server for dns and dhcp, because you can use the smoothwall to do that as well.

Author

Commented:
The server will be IIS.  We are currently running IIS for our Share Point Portal and other business applications, but it is all internal.  Our website is hosted with a webhost and we have never had a need to run our own external web applications (i.e. all of our outside people have access to VPN).  We are a company of about 35-40 employees and I am it when it comes to IT.  I guess I need something that is going to be secure and easy to maintain.  We run SQL Server 2005 and MS Dynamics GP as our ERP.  We have a lot of data that I do not want to be publicly access (or maliciously accessed).  I still am unsure as to the best solution for us.

Commented:
Sounds to me you are worried about security as you should, you are going to find that a new system will be required to run your webserver, otherwise the bandwidth usage with SQL and ERP will slow down your inside access speeds, don't let anyone tell you different, been down that road. Are you using an internal Domain and active directory? Second point is NEVER put a webserver on a mission critical server, crash the server with something as simple as DoS etc and you loose your entire internal network, and usually your Job. Also the extra thrashing of your hard drives just adds another layer of wear for your hard drives. The ROI suggests that the new server will pay for itself within 1-2 years, also the webserver could have lower specs than a full blown server.

Author

Commented:
I figured we would want to purchase a new webserver just for external applications.  That is not a problem.  How do you suggest we secure our internal network from external access to that box?

Commented:
Once again using a dmz. Once again I'll use the Smoothwall as an example.
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  a: Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
                                                                                                                            b: Web Server
From the firewall we have 1 inbond Nic(red zone) that is from the ISP T1 Router.
Out of the router we have 2 Nics, 1 goes to your normal network(192.168.0.0/24)(green zone) and the other goes to the DMZ which is the Web Server(172.16.0.0/24)(orange or purple zone). The firewall routes the traffic from the red zone to the purple or orange zone.(isp to DMZ), it also rouites traffic from green to orange and orange to green. simple heh :-)
therfore the webserver and the internal network are totally seperate except from where you specifically allow through your firewall.

Commented:
Sorry just had to change a word.


Once again using a dmz. Once again I'll use the Smoothwall as an example.
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  a: Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
                                                                                                                            b: Web Server
From the firewall we have 1 inbond Nic(red zone) that is from the ISP T1 Router.
Out of the firewall we have 2 Nics, 1 goes to your normal network(192.168.0.0/24)(green zone) and the other goes to the DMZ which is the Web Server(172.16.0.0/24)(orange or purple zone). The firewall routes the traffic from the red zone to the purple or orange zone.(isp to DMZ), it also rouites traffic from green to orange and orange to green. simple heh :-)
therfore the webserver and the internal network are totally seperate except from where you specifically allow through your firewall.

Author

Commented:
So I guess I am not understanding what SmoothWall is.  Is it a pc based software firewall or is it an actual hardware appliance?  If I am understanding you correclty (regardless of whether it is software or hardware), SmoothWall will do my DMZ for me?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
Just to clarify the Smoothwall and similar products are Linux based installed on a stand alone computer by itself. I normally use an old computer for this, P3 500-700/256mb ram/10gb HDD/CDROM/Floppy.
Nothing fancy, just use Std Nics like realtek chipsets etc. works a treat, I think minimum spec is p2 300 or something.
Lynn HuffIT Director

Commented:
Question to r270ba:

I am at exactly the same point in decision making that you were when you posted this question.  My company (100 employees) has just decided to implement Microsoft Dynamics GP as our ERP solution and I am it as far as tech people go here.  I have no experience with DMZ's.  I'd like to ask you what you eventually decided on.  Would you be willing to start an email correspondence?

Author

Commented:
Unfortunately there are not a lot of e-commerce solutions out there for Dynamics GP.  The options are growing however.  We have held off on an e-commerce solution for right now.  

There are products by Azox (http://www.azox.com/), Keyora (http://www.keyora.com/), and Ignify (http://ignify.com/) that are quite pricey.  

ISSUSA uses ASPDotNetStoreFront and a connector they have written(http://www.issusa.com/GPASPDNSFBridge.aspx) which is a manual sync to GP but is a great price.

I just stumbled across these guys recently K-ecommerce (http://www.k-ecommerce.com/).  Their offering looks pretty solid as well.  

There is one more that I cannot think of that was a decent offering <$20k.  If I remember it I will post it.

I am afraid this is about as much as I can help you, since we have not actually implemented any of this.

Ron  

Author

Commented:
Storefront.net is the other I was thinking about (http://www.storefront.net/)
Lynn HuffIT Director

Commented:
Thanks for your comments.  Acutally though, I was not referring to ecommerce.  I was talking about your implementation of a DMZ.  I won't need an ecommerce piece, but I will have some hand held computers sending data over a wireless network back to servers in our office.  I need to set up a DMZ to accept IP traffic for that data.  Have you implemented/set up a DMZ?  If so, can you share insight as to your choices?

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.