how to create a secure network structure?

I am developing a small to medium size e-commerce web site for which I need to create a network structure. I don't have much experience creating network structure even though I know fairly enough about configuring routers and firewalls.

How should I create the network structure? I was thinking of having my web server behind a firewall with port 80 open. Then, route any database request to a second firewall/router on the network through the port on which the database would be working. This way, the business tier server would be at a higher level in the network than the data tier server. Would this be a reasonable network configuration approach to implement and protect the data?

I will be using microsoft product such as small business web server, sql server express and visual studio.

Please, I would appreciate any inputs and thoughts. Thanks.

Open in new window

Who is Participating?
charan_jeetsinghConnect With a Mentor Commented:
If you have security in mind(that is what market is asking for)... definitely you should go for a multi-tier architechture

it can look something like this :

Internet -------- firewall-----Internal
       Proxies for load sharing and additional security
                      Web + App tier
                       DB Server

proxy can be ommited but based on my experience i have observed that they are really helpful in doing good resource utilisation and providing an additional security layer to your web tier.
pseudocyberConnect With a Mentor Commented:
Although you can use two firewalls, IMHO you're adding needless complexity.

You can have a screening router which can drop the obvious stuff - spoofed traffic and what not.  Then hang a DMZ off one firewall port and your internal network off another.  So, you can allow 80 into the DMZ from anywhere, and you could allow db traffic from the server to your internal net.  You could allow managment from internal to the web server, and allow 80, 443, and a few other ports from inside to the Internet.

So it physically, it would loook like this:

Internet ---- router ---- firewall ----- inside nets

Allow Any port 80 to web server
Allow db traffic from web server to inside db server
Allow ssh from inside to web server (or whatever you want to use to manage)
Allow 80, etc from inside to any
deny any to any & log

This should basically do it.
vielkacarolina1239Author Commented:


I read a paper in which it explains the pit falls of the design you have suggested. The paper explains that if the web server computer is used as a robot, it can be used to attack the others computers on the same tier if it is compromised. Do you have any other suggestions? Please let me, know I will gladly appreciate your comments.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

vielkacarolina1239Author Commented:

Thanks, this is similar to what I had in mind. Would you suggest using the same type of firewall for the different tiers? Would it matter if they are different? Do you think this would improve security since they are different?

I am thinking about getting a NETGEAR ProSafe VPN Firewall FVX538 for this project. Do you think this would do the trick? The URL fo this item is:

It seems as a decent firewall and it goes for $350

Do you have any suggestions? Please, let me know. I will gladly appreciate it.
vielkacarolina1239Author Commented:
These are the specs for the above firewall

Physical Interfaces

LAN ports: Eight (8) 10/100 Mbps auto-sensing, Auto-Uplink" RJ-45 ports; one (1) Gigabit 10/100/1000 Mbps
LAN port; one LAN port can be dedicated hardware DMZ port
WAN port: Two 10/100Mbps Ethernet RJ-45 ports with auto fail-over and load balancing
Serial Port: One console port for command line interface (CLI) support
Security Features

SPI Firewall: Stateful Packet Inspection (SPI) to prevent notorious Denial of Service (DoS) attacks, Intrusion Detection System (IDS) including logging, reporting and e-mail alerts, address, service and protocol, Web URL keyword filtering, prevent replay attack (reassembly attack), port/service blocking. Advanced features include block Java/URL/ ActiveX based on extension, FTP/SMTP/RPC program filtering
VPN Functionality: Two hundred (200) dedicated VPN tunnels, Manual key and Internet Key Exchange Security Association (IKE SA) assignment with pre-shared key and RSA/DSA signatures, key life and IKE lifetime time settings, perfect forward secrecy (Diffie- Hellman groups 1 and 2 and Oakley support), operating modes (Main, Aggressive, Quick), fully qualified domain name (FQDN) support for dynamic IP address VPN connections.
IPSec Support: IPSec-based 56-bit (DES), 168-bit (3DES), or 256-bit (AES) encryption algorithm, MD5 or SHA-1 hashing algorithm, AH/AH-ESP support, PKI features with X.509 v.3 certificate support, remote access VPN (client-to-site), site-to-site VPN, IPSec NAT traversal (VPN pass-through)
Mode of Operation: One-to-one/ many-to-one Multi-Network Address Translation (NAT), classical routing, unrestricted users per port
IP Address Assignment: Static IP address assignment, internal DHCP server on LAN, DHCP client on WAN, PPPoE client support
Performance Features

Throughput: Up to 91 Mbps WAN to LAN and 60Mbps 3DES throughput
Management Features

Administration Interface: SNMP (v.2c) support, Telnet, web graphic user interface, Secure Sockets Layer (SSL) remote management, user name and password protected; secure remote management support authenticated through IP address or IP address range and password; configuration changes/ upgrades through web GUI.
Configuration and Upgrades: Upload and down load configuration settings, firmware upgradeable flash memory Logging: SYSLOG, e-mail alerts

VPN Wizard to simplify configuration of the VPN, Smart Wizard to automatically detect ISP Address type (static, dynamic, PPPoE), Port Range Forwarding, Port Triggering, Exposed Host (DMZ), Hardware DMZ, Enable/Disable WAN Ping, DNS Proxy, MAC Address cloning/ spoofing, Network Time Protocol NTP support, Keyword Content Filtering, email Alerts, DHCP Server (Info and display table), PPPoE login client support, WAN DHCP Client, Diagnostic tools (ping, trace route, other), Port/ service, Auto-Uplink on switch ports and Quality of Service (QoS).
Protocol Support

Network: IP routing, TCP/IP, UDP, ICMP, PPPoE
IP Addressing: DHCP (client and server)
Routing: RIP v1, RIPv2 (Static Routing, Dynamic Routing)
VPN/Security: IPSec (ESP, AH), MD5, SHA-1, DES, 3DES, IKE, PKI, AES
User Support

LAN: Up to 253 users

Save/Restore Configuration, Restore Defaults, Upgrades via Web Browser, Display Statistics, Logging, SYSLOG support
Hardware Specifications

Processor: 533 MHz Intel XScale IXP425
Memory: 32MB Flash, 64MB DRAM
Encryption Accelerator: Cavium Processor with 60+ Mbps (3DES+SHA-1) encryption
Power requirements: 100-240 VAC, 50-60Hz, 15W MAX
Dimensions: 33 x 20.3 x 4.4 cm. (13 x 8 x 1.75 in.)
Weight: 4.42 lbs (2.01 kg)
Environmental Specifications

Operating temperature: 0 to 40ºC (32 to 104ºF)
Operating humidity: 90% maximum relative humidity, non-condensing

NETGEAR 3 year warranty
Package Contents

FVX538 ProSafe VPN Firewall 200
Ethernet cable
Rack mount kit
Installation guide
Resource CD with five user license of ProSafe VPN Client Software
Warranty/Support information card
charan_jeetsinghConnect With a Mentor Commented:
Would you suggest using the same type of firewall for the different tiers? ( when you say type of firewall i assume you talking of vendors)  Would it matter if they are different? Do you think this would improve security since they are different?

>> It doesnt makes much of a difference if you are using 1 type or 2 types.  It all depends basically on how best you implement them. But looking into the management overheads involved with using 2 firewalls i recommend going with one and that is a common practice as well. Also implementing 2 types of firewall will double the probability of vulnerabilities as the loopholes of both types simply add thus increasing the risk factor.

Regarding your going with netgear.... i wont really go with you. I personally would have choosen amongst Cisco  ASA / juniper netscreen (cisco is my personal flavour). Netscreen would have served the purpose of general internet browsing and managing a few VPNs, but when you are on internet and are expecting hundreds of hits per hour, you expect all malicious traffic also. In such cases you must go with experts.
Thanks for the points.

True, that if one of your bastion hosts is compromised it can be used to attack the others in the same DMZ, but this is why they're in a DMZ and why they're bastions - they must be especially locked down to only run what they're supposed to trying to minimize the services running and the ports listening.  Yes, you can add more firewalls - but where will you draw the line?  Are you going to run a firewall for each of your servers? At some point it gets rediculous.

Reverse proxies are OK - but can be especially tricky if you're using SSL traffic or you have many connections coming from one natted address on the other end.

Second the nod towards "real" firewalls - Cisco ASA (Pix is their older firewall), Checkpoint, Netscreen.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.