Should I continue to keep my webserver in a separate subnet? In a DMZ?

We run a company website on an IIS server.  It's located on one of two subnets in our small LAN:  our firewall (Cisco PIX 515E) is equipped with two physical interfaces:  one dedicated to the internal office subnet and one dedicated to a DMZ subnet.  The webserver is the only computer on the DMZ subnet.  This setup was put in place by one of my predecessors, although I'm not sure I understand why.

Can I safely eliminate the DMZ and simply put the webserver on the same subnet as the rest of the equipment?  The firewall is already configured to block all ports except the ones we need.  If that's the case, it seems unnecessary to continue isolating the webserver in a different subnet.  I also see no purpose to using a DMZ, which I would assume would create more risk, not less.  Does that seem correct?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IMHO you can put your web server on your subnet, behind a firewall/router with the proper ports forwarded to your web server.

A DMZ is always wide open to the Internet with all ports available, even though your server may only have say port 80 open. However, on a DMZ the possibility of another port accidentally being left open and exploited is real.

Is it safer? One computer on its own subnet on a dmz or or that server with all of your clients on the other net... how good is your firewall?

It is probably just as safe, but I would opt for safety and security and keep it separate. That is just my opinion.

Perhaps your are not familiar with Security threats, hacking techniques, etc.

You should not put the web server with the rest for sure. Also, do not put your mail gateway inside (it needs to be in the DMZ); that goes for your main DNS servers if you have them on your network.

Although you allow certain ports to open to your web Server, that does not mean you have secured your web server. For example, if an exploit exists on Apache or on IIS, then merely opening port 80 to that server will not secure the exploit - which means a hacker on the outside can break in using his web browser to your server and have full access as if he was logged on to that server from the inside; this means if no firewall blocks the web server from talking directly to the network, he will have complete access in hacking the other servers as well.

Exploits also exist for any other service.

Rule of thumb: Any service that will be accessed from the outside NEEDS to be in the DMZ.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Just to add to my previous example regarding a hacker accessing your web server on port 80 with no DMZ; Once he is in, he will have access to all the other servers on ANY port (Not just Port 80) since he is limited to port 80 only to the web server and from the web server it is completely open to the rest.

I hope this clarifies the issue.
Did any of this help you? Or did you find a solution?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.