Link to home
Start Free TrialLog in
Avatar of andregenovese
andregenovese

asked on

Ideal network configuration for web server deployment

Dear all,

First of all I would like to thank any of you guys who took their time to read this post. I appreciate the service you offer.

First and foremost I am a programmer with a sore achilles heel...I have always kept my knowledge level of networks to a minimum and it has come back to haunt me.

I have developed a web application that will be hosted on three servers and a backup server:
1 - Webserver
2 - Admin server
3 - Database server
4 - Replicated database server

The webserver's job is to service clients taht access a public site. The machine needs direct access to the database server in order to fullfil a number of select/update SQL statements.

The Admin server hosts the administration site that manages the whole application. This server should be accessible to people within the company's local network, and a few people who connect from the outside world.

The database server services both the WWW and Admin server and needless to say should be the most protected.

I have conducted a lot of research and have accumulated a number of ideas, but I am still not entirely sure on the best options I have with regards to the network design that should be employed. The servers have been purchased, but I still need to buy the firewalls and switches that will complement the setup.

Could anyone give me a few tips on what network setup will potect the database in the best manner?

I also have the following questions which are related to this post:

1 - The admin server will service about 5-10 external users. Do you suggest making it only accessible via VPN?
2 - I will need faciliuty to service all 4 servers via VPN. Is this possible, since the DB server will be on a different tier?
3 - Do I need a firewall between the WWW/Admin servers and the Database?

I apologise for the long post and thank you all in anticipation.

Best regards





ASKER CERTIFIED SOLUTION
Avatar of Rowley
Rowley
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of andregenovese
andregenovese

ASKER

Hi,

Thanks for your comment.

"Usually, you might have your web server between an external and an internal firewall in a DMZ, allowing only http access through the public firewall then only DB connections from your web host through to your database. "

I understand and agree totally.

"You can separate the private network using vlans, allow only the admin workstation to connect through to your DB vlan and maybe use ssh keys with agents to prevent encrypted passwords flying about the network. "

The admin workstations need only connect to the Admin server, so I could block access to the DB Vlan from teh private network. I assume that the firewall can be configured to allow access from the private network to the Admin server on the DMZ?

"You can allow vpn back to your user network, then ask users to authenticate onto the admin server before connecting onto the db from there. This might provide you with an additional layer of security."

Would this require an additional firewall, or can this feature be services by the same firewall connected to the webserver?

"So...where's your infrastructure guy? On vacation?"

:) good question...there isnt one at the moment. I will have to get someone to configure the firewalls, but I really want to understand what is good practice and what is not.

Thanks again

You could have a single firewall with multiple interfaces, say a quad card in or multiple physical firewalls. Up to you really. VPN would be handled by a firewall or a device connected to the networks you want to provide access to.

To prevent general access to the DB vlan, only configure the management servers port with access, so you'd configure a trunk port which would allow access to vlans 10 and 20 for example. You can have a single interface on a server perform vlan tagging on packets, so you wouldn't necessarily need multiple physical interfaces.

hth.
I would put the DB in the DMZ with the WWW. Otherwise you may take a performance hit with a lot of database transaction traffic going through the firewall unnecessarily. With, of course, no outside access to the db.

Firewall Rules:
outside -> dmz    only port 80, only to www
outside -> inside    VPN only
inside -> dmz    full access, only from admin
Sorry, but the argument you put forward to put a db in the dmz because of performance holds no sway, imho. Firewalls are there to handle traffic. If yours is under performing, its not the location of the database that you need to look at.
Point taken.
But it is still unnecessary traffic, additional firewall rules and VLAN configs.
I prefer the KISS method, keep it simple...