[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Webserver and DMZ

Posted on 2007-10-09
17
Medium Priority
?
1,089 Views
Last Modified: 2012-08-13
We are getting ready to open an online store for our company.  We need to be able to interface it with our back office ERP (Microsoft Dynamics GP).  Therefore we will need to host this box on our on network (as opposed to hosting with a webhost) so that the online store can link to the ERP.  

Now my question:  What do I need to do this?  I am assuming we will need to create a DMZ.  We have a firewall setup at our main HQ that acts as our firewall and VPN.  I do not think this firewall has a DMZ port, so what do I need.  Also, how do I make sure that everything is secure on the DMZ?

 I have read several articles on here that make the DMZ a little more clear, but I need some help with my exact application.  Here is what we currently have setup:

Internet -> ISP T1 Router -> Firewall / VPN -> Linksys Wireless Router -> Linksys Switch -> Corporate Network (i.e. servers, pcs, printers, etc.)

If we need to purchase new firewall what should we purchase.  I am not a big Cisco fan due me not knowing ACL.  Maybe you need some more information but we can start from here.  I look forward to your help.

Thanks,

Ron
0
Comment
Question by:r270ba
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 20045276
dmz is technically /between/ two firewalls, but can be implemented as a third port (inside, outside, dmz) on a single unit.

Some entry level router solutions provide a dmz 'feature' where you enter the IP address of one server to be exposed to the internet.

these functions are not entirely secure, or even anything like a dmz in property at all!  (so do not use it if you router has this 'feature')

I'd recommend a new or additional firewall in your case if your existing device does not cut it.

I suggest that you consider a subnet of you current address to be used as a dnz (e.g. if your current network is 192.168.0.0/24, use 192.168.0.0/23 as the dmz subnet and 192.168.0.128/23 as the lan - or vice versa)

Then all you need to do is to manage rules that limit communication from the dmz to the lan addresses.

For a router solution, my honest opinion is mikrotik routerOS (www.mikrotik.com) for an excellent fully featured router/firewall solution at relatively low cost.

Cheers.
 

0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20053606
Before you do anything, grab a copy of Smoothwall 3.0 from http://www.smoothwall.org/get/
and throw it onto an old system, read the manual first, however it is a s easy as. You will find that you can set your system up like this with it
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
Smoothwall do have Business class systems, you can track back to there corporate web site.
Smoothwall will allow you to set up your VPN, Firewall, and DMZ as you like all you do is set up routing through your firewall. Use 3 nics in the smoothwall, 1 for the inbound(red), 1 for your normal lan(Green) and then 1 for your DMZ/Web server(Orange or Purple). The Forum is a great place to get extra info from, however if you have worked with firewalls before you will find Smoothwall very user friendly.
0
 
LVL 18

Expert Comment

by:Johnjces
ID: 20054258
My .02 cents....

I would never put a web server fully open to the Internet in any fashion whether on the end of DMZ or HotLAN, or some direct IP connection.

My advice, IMHO, is to port forward from your firewall to your Web Servers internal IP. You will need at least port 80 (http) and 443 (https). This way your firewall can still inspect and stop other bad stuff hitting your web server.

I would also consider multi-homing, multiple nics in your web server and keeping IP subnets seperate. AT loeast use s different IP scheme for hookup to your ERP backends.

By the way, SMoothWall is an outstanding OpenSOurce firewall implementation and like ozwes007 states can be put on any old PC box you have lying around. 2 NICs will be needed, WAN and LAN.

Hope this helped a bit.

John
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:r270ba
ID: 20056012
Thanks for all of your comments.  What is the traditional way to setup a webserver for public access?  Maybe that will give me a start.  Right now I still am not sure what to do.  Purchasing new hardware (firewall, new server, etc.) is not a problem if I need to.
0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20056168
placing a web server on a dmz by itself though a firewall is accetable, as long as it is set up with the right security settins to suit, ie virtual directories etc. What web server are you going to use. I have used IIS and Apache and I  prefer Apache for security reasons, however either will work. Like I said, place it behind a smoothwall(free one or comercial one) which ever you prefer, and use 3 Nics with 2 seperate subnets, 1 for lan and 1 for webserver. Do use a server for dns and dhcp, because you can use the smoothwall to do that as well.
0
 

Author Comment

by:r270ba
ID: 20056262
The server will be IIS.  We are currently running IIS for our Share Point Portal and other business applications, but it is all internal.  Our website is hosted with a webhost and we have never had a need to run our own external web applications (i.e. all of our outside people have access to VPN).  We are a company of about 35-40 employees and I am it when it comes to IT.  I guess I need something that is going to be secure and easy to maintain.  We run SQL Server 2005 and MS Dynamics GP as our ERP.  We have a lot of data that I do not want to be publicly access (or maliciously accessed).  I still am unsure as to the best solution for us.
0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20056402
Sounds to me you are worried about security as you should, you are going to find that a new system will be required to run your webserver, otherwise the bandwidth usage with SQL and ERP will slow down your inside access speeds, don't let anyone tell you different, been down that road. Are you using an internal Domain and active directory? Second point is NEVER put a webserver on a mission critical server, crash the server with something as simple as DoS etc and you loose your entire internal network, and usually your Job. Also the extra thrashing of your hard drives just adds another layer of wear for your hard drives. The ROI suggests that the new server will pay for itself within 1-2 years, also the webserver could have lower specs than a full blown server.
0
 

Author Comment

by:r270ba
ID: 20056491
I figured we would want to purchase a new webserver just for external applications.  That is not a problem.  How do you suggest we secure our internal network from external access to that box?
0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20056809
Once again using a dmz. Once again I'll use the Smoothwall as an example.
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  a: Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
                                                                                                                            b: Web Server
From the firewall we have 1 inbond Nic(red zone) that is from the ISP T1 Router.
Out of the router we have 2 Nics, 1 goes to your normal network(192.168.0.0/24)(green zone) and the other goes to the DMZ which is the Web Server(172.16.0.0/24)(orange or purple zone). The firewall routes the traffic from the red zone to the purple or orange zone.(isp to DMZ), it also rouites traffic from green to orange and orange to green. simple heh :-)
therfore the webserver and the internal network are totally seperate except from where you specifically allow through your firewall.
0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20056831
Sorry just had to change a word.


Once again using a dmz. Once again I'll use the Smoothwall as an example.
Internet -> ISP T1 Router -> Firewall / VPN/DMZ/Mail virus Checker etc etc ->  a: Linksys Switch ->Linksys Wireless Router ->Corporate Network (i.e. servers, pcs, printers, etc.)
                                                                                                                            b: Web Server
From the firewall we have 1 inbond Nic(red zone) that is from the ISP T1 Router.
Out of the firewall we have 2 Nics, 1 goes to your normal network(192.168.0.0/24)(green zone) and the other goes to the DMZ which is the Web Server(172.16.0.0/24)(orange or purple zone). The firewall routes the traffic from the red zone to the purple or orange zone.(isp to DMZ), it also rouites traffic from green to orange and orange to green. simple heh :-)
therfore the webserver and the internal network are totally seperate except from where you specifically allow through your firewall.
0
 

Author Comment

by:r270ba
ID: 20056853
So I guess I am not understanding what SmoothWall is.  Is it a pc based software firewall or is it an actual hardware appliance?  If I am understanding you correclty (regardless of whether it is software or hardware), SmoothWall will do my DMZ for me?
0
 
LVL 2

Accepted Solution

by:
ozwes007 earned 2000 total points
ID: 20057044
Smoothwall is a Software/Linux based Firewall/router. The company that makes smoothwall corporate also makes smoothwall free edition
Yes Smoothwall does DMZ/Mail Virus Scan Inbound/DNS/DHCP/ETc ETC
Have a look at this http://community.smoothwall.org/forum/viewtopic.php?t=23955

Corporate :- http://www.smoothwall.net/
Free edition :-  http://www.smoothwall.org/get/    
I would suggest you go to the above free site and download the Install and Administrator manuals to have a good look at it. There are other similar products and I have used a few but this one seems to have the best Forum Support.
0
 
LVL 2

Expert Comment

by:ozwes007
ID: 20057127
Just to clarify the Smoothwall and similar products are Linux based installed on a stand alone computer by itself. I normally use an old computer for this, P3 500-700/256mb ram/10gb HDD/CDROM/Floppy.
Nothing fancy, just use Std Nics like realtek chipsets etc. works a treat, I think minimum spec is p2 300 or something.
0
 
LVL 3

Expert Comment

by:Lynn Huff
ID: 23908661
Question to r270ba:

I am at exactly the same point in decision making that you were when you posted this question.  My company (100 employees) has just decided to implement Microsoft Dynamics GP as our ERP solution and I am it as far as tech people go here.  I have no experience with DMZ's.  I'd like to ask you what you eventually decided on.  Would you be willing to start an email correspondence?
0
 

Author Comment

by:r270ba
ID: 23909281
Unfortunately there are not a lot of e-commerce solutions out there for Dynamics GP.  The options are growing however.  We have held off on an e-commerce solution for right now.  

There are products by Azox (http://www.azox.com/), Keyora (http://www.keyora.com/), and Ignify (http://ignify.com/) that are quite pricey.  

ISSUSA uses ASPDotNetStoreFront and a connector they have written(http://www.issusa.com/GPASPDNSFBridge.aspx) which is a manual sync to GP but is a great price.

I just stumbled across these guys recently K-ecommerce (http://www.k-ecommerce.com/).  Their offering looks pretty solid as well.  

There is one more that I cannot think of that was a decent offering <$20k.  If I remember it I will post it.

I am afraid this is about as much as I can help you, since we have not actually implemented any of this.

Ron  
0
 

Author Comment

by:r270ba
ID: 23909295
Storefront.net is the other I was thinking about (http://www.storefront.net/)
0
 
LVL 3

Expert Comment

by:Lynn Huff
ID: 23910798
Thanks for your comments.  Acutally though, I was not referring to ecommerce.  I was talking about your implementation of a DMZ.  I won't need an ecommerce piece, but I will have some hand held computers sending data over a wireless network back to servers in our office.  I need to set up a DMZ to accept IP traffic for that data.  Have you implemented/set up a DMZ?  If so, can you share insight as to your choices?
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question