Go Premium for a chance to win a PS4. Enter to Win


how to create a secure network structure?

Posted on 2007-11-30
Medium Priority
Last Modified: 2008-02-01
I am developing a small to medium size e-commerce web site for which I need to create a network structure. I don't have much experience creating network structure even though I know fairly enough about configuring routers and firewalls.

How should I create the network structure? I was thinking of having my web server behind a firewall with port 80 open. Then, route any database request to a second firewall/router on the network through the port on which the database would be working. This way, the business tier server would be at a higher level in the network than the data tier server. Would this be a reasonable network configuration approach to implement and protect the data?

I will be using microsoft product such as small business web server, sql server express and visual studio.

Please, I would appreciate any inputs and thoughts. Thanks.

Open in new window

Question by:vielkacarolina1239
  • 3
  • 2
  • 2
LVL 27

Assisted Solution

pseudocyber earned 600 total points
ID: 20386230
Although you can use two firewalls, IMHO you're adding needless complexity.

You can have a screening router which can drop the obvious stuff - spoofed traffic and what not.  Then hang a DMZ off one firewall port and your internal network off another.  So, you can allow 80 into the DMZ from anywhere, and you could allow db traffic from the server to your internal net.  You could allow managment from internal to the web server, and allow 80, 443, and a few other ports from inside to the Internet.

So it physically, it would loook like this:

Internet ---- router ---- firewall ----- inside nets

Allow Any port 80 to web server
Allow db traffic from web server to inside db server
Allow ssh from inside to web server (or whatever you want to use to manage)
Allow 80, etc from inside to any
deny any to any & log

This should basically do it.

Accepted Solution

charan_jeetsingh earned 1400 total points
ID: 20387257
If you have security in mind(that is what market is asking for)... definitely you should go for a multi-tier architechture

it can look something like this :

Internet -------- firewall-----Internal
       Proxies for load sharing and additional security
                      Web + App tier
                       DB Server

proxy can be ommited but based on my experience i have observed that they are really helpful in doing good resource utilisation and providing an additional security layer to your web tier.

Author Comment

ID: 20389936


I read a paper in which it explains the pit falls of the design you have suggested. The paper explains that if the web server computer is used as a robot, it can be used to attack the others computers on the same tier if it is compromised. Do you have any other suggestions? Please let me, know I will gladly appreciate your comments.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 20390053

Thanks, this is similar to what I had in mind. Would you suggest using the same type of firewall for the different tiers? Would it matter if they are different? Do you think this would improve security since they are different?

I am thinking about getting a NETGEAR ProSafe VPN Firewall FVX538 for this project. Do you think this would do the trick? The URL fo this item is: http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVX538.aspx?detail=Specifications

It seems as a decent firewall and it goes for $350

Do you have any suggestions? Please, let me know. I will gladly appreciate it.

Author Comment

ID: 20390196
These are the specs for the above firewall

Physical Interfaces

LAN ports: Eight (8) 10/100 Mbps auto-sensing, Auto-Uplink" RJ-45 ports; one (1) Gigabit 10/100/1000 Mbps
LAN port; one LAN port can be dedicated hardware DMZ port
WAN port: Two 10/100Mbps Ethernet RJ-45 ports with auto fail-over and load balancing
Serial Port: One console port for command line interface (CLI) support
Security Features

SPI Firewall: Stateful Packet Inspection (SPI) to prevent notorious Denial of Service (DoS) attacks, Intrusion Detection System (IDS) including logging, reporting and e-mail alerts, address, service and protocol, Web URL keyword filtering, prevent replay attack (reassembly attack), port/service blocking. Advanced features include block Java/URL/ ActiveX based on extension, FTP/SMTP/RPC program filtering
VPN Functionality: Two hundred (200) dedicated VPN tunnels, Manual key and Internet Key Exchange Security Association (IKE SA) assignment with pre-shared key and RSA/DSA signatures, key life and IKE lifetime time settings, perfect forward secrecy (Diffie- Hellman groups 1 and 2 and Oakley support), operating modes (Main, Aggressive, Quick), fully qualified domain name (FQDN) support for dynamic IP address VPN connections.
IPSec Support: IPSec-based 56-bit (DES), 168-bit (3DES), or 256-bit (AES) encryption algorithm, MD5 or SHA-1 hashing algorithm, AH/AH-ESP support, PKI features with X.509 v.3 certificate support, remote access VPN (client-to-site), site-to-site VPN, IPSec NAT traversal (VPN pass-through)
Mode of Operation: One-to-one/ many-to-one Multi-Network Address Translation (NAT), classical routing, unrestricted users per port
IP Address Assignment: Static IP address assignment, internal DHCP server on LAN, DHCP client on WAN, PPPoE client support
Performance Features

Throughput: Up to 91 Mbps WAN to LAN and 60Mbps 3DES throughput
Management Features

Administration Interface: SNMP (v.2c) support, Telnet, web graphic user interface, Secure Sockets Layer (SSL) remote management, user name and password protected; secure remote management support authenticated through IP address or IP address range and password; configuration changes/ upgrades through web GUI.
Configuration and Upgrades: Upload and down load configuration settings, firmware upgradeable flash memory Logging: SYSLOG, e-mail alerts

VPN Wizard to simplify configuration of the VPN, Smart Wizard to automatically detect ISP Address type (static, dynamic, PPPoE), Port Range Forwarding, Port Triggering, Exposed Host (DMZ), Hardware DMZ, Enable/Disable WAN Ping, DNS Proxy, MAC Address cloning/ spoofing, Network Time Protocol NTP support, Keyword Content Filtering, email Alerts, DHCP Server (Info and display table), PPPoE login client support, WAN DHCP Client, Diagnostic tools (ping, trace route, other), Port/ service, Auto-Uplink on switch ports and Quality of Service (QoS).
Protocol Support

Network: IP routing, TCP/IP, UDP, ICMP, PPPoE
IP Addressing: DHCP (client and server)
Routing: RIP v1, RIPv2 (Static Routing, Dynamic Routing)
VPN/Security: IPSec (ESP, AH), MD5, SHA-1, DES, 3DES, IKE, PKI, AES
User Support

LAN: Up to 253 users

Save/Restore Configuration, Restore Defaults, Upgrades via Web Browser, Display Statistics, Logging, SYSLOG support
Hardware Specifications

Processor: 533 MHz Intel XScale IXP425
Memory: 32MB Flash, 64MB DRAM
Encryption Accelerator: Cavium Processor with 60+ Mbps (3DES+SHA-1) encryption
Power requirements: 100-240 VAC, 50-60Hz, 15W MAX
Dimensions: 33 x 20.3 x 4.4 cm. (13 x 8 x 1.75 in.)
Weight: 4.42 lbs (2.01 kg)
Environmental Specifications

Operating temperature: 0 to 40ºC (32 to 104ºF)
Operating humidity: 90% maximum relative humidity, non-condensing

NETGEAR 3 year warranty
Package Contents

FVX538 ProSafe VPN Firewall 200
Ethernet cable
Rack mount kit
Installation guide
Resource CD with five user license of ProSafe VPN Client Software
Warranty/Support information card

Assisted Solution

charan_jeetsingh earned 1400 total points
ID: 20390590
Would you suggest using the same type of firewall for the different tiers? ( when you say type of firewall i assume you talking of vendors)  Would it matter if they are different? Do you think this would improve security since they are different?

>> It doesnt makes much of a difference if you are using 1 type or 2 types.  It all depends basically on how best you implement them. But looking into the management overheads involved with using 2 firewalls i recommend going with one and that is a common practice as well. Also implementing 2 types of firewall will double the probability of vulnerabilities as the loopholes of both types simply add thus increasing the risk factor.

Regarding your going with netgear.... i wont really go with you. I personally would have choosen amongst Cisco  ASA / juniper netscreen (cisco is my personal flavour). Netscreen would have served the purpose of general internet browsing and managing a few VPNs, but when you are on internet and are expecting hundreds of hits per hour, you expect all malicious traffic also. In such cases you must go with experts.
LVL 27

Expert Comment

ID: 20393197
Thanks for the points.

True, that if one of your bastion hosts is compromised it can be used to attack the others in the same DMZ, but this is why they're in a DMZ and why they're bastions - they must be especially locked down to only run what they're supposed to trying to minimize the services running and the ports listening.  Yes, you can add more firewalls - but where will you draw the line?  Are you going to run a firewall for each of your servers? At some point it gets rediculous.

Reverse proxies are OK - but can be especially tricky if you're using SSL traffic or you have many connections coming from one natted address on the other end.

Second the nod towards "real" firewalls - Cisco ASA (Pix is their older firewall), Checkpoint, Netscreen.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question