Ideal network configuration for web server deployment

Dear all,

First of all I would like to thank any of you guys who took their time to read this post. I appreciate the service you offer.

First and foremost I am a programmer with a sore achilles heel...I have always kept my knowledge level of networks to a minimum and it has come back to haunt me.

I have developed a web application that will be hosted on three servers and a backup server:
1 - Webserver
2 - Admin server
3 - Database server
4 - Replicated database server

The webserver's job is to service clients taht access a public site. The machine needs direct access to the database server in order to fullfil a number of select/update SQL statements.

The Admin server hosts the administration site that manages the whole application. This server should be accessible to people within the company's local network, and a few people who connect from the outside world.

The database server services both the WWW and Admin server and needless to say should be the most protected.

I have conducted a lot of research and have accumulated a number of ideas, but I am still not entirely sure on the best options I have with regards to the network design that should be employed. The servers have been purchased, but I still need to buy the firewalls and switches that will complement the setup.

Could anyone give me a few tips on what network setup will potect the database in the best manner?

I also have the following questions which are related to this post:

1 - The admin server will service about 5-10 external users. Do you suggest making it only accessible via VPN?
2 - I will need faciliuty to service all 4 servers via VPN. Is this possible, since the DB server will be on a different tier?
3 - Do I need a firewall between the WWW/Admin servers and the Database?

I apologise for the long post and thank you all in anticipation.

Best regards





andregenoveseAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RowleyCommented:
Usually, you might have your web server between an external and an internal firewall in a DMZ, allowing only http access through the public firewall then only DB connections from your web host through to your database.

You can separate the private network using vlans, allow only the admin workstation to connect through to your DB vlan and maybe use ssh keys with agents to prevent encrypted passwords flying about the network.

You can allow vpn back to your user network, then ask users to authenticate onto the admin server before connecting onto the db from there. This might provide you with an additional layer of security.

So...where's your infrastructure guy? On vacation?

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andregenoveseAuthor Commented:
Hi,

Thanks for your comment.

"Usually, you might have your web server between an external and an internal firewall in a DMZ, allowing only http access through the public firewall then only DB connections from your web host through to your database. "

I understand and agree totally.

"You can separate the private network using vlans, allow only the admin workstation to connect through to your DB vlan and maybe use ssh keys with agents to prevent encrypted passwords flying about the network. "

The admin workstations need only connect to the Admin server, so I could block access to the DB Vlan from teh private network. I assume that the firewall can be configured to allow access from the private network to the Admin server on the DMZ?

"You can allow vpn back to your user network, then ask users to authenticate onto the admin server before connecting onto the db from there. This might provide you with an additional layer of security."

Would this require an additional firewall, or can this feature be services by the same firewall connected to the webserver?

"So...where's your infrastructure guy? On vacation?"

:) good question...there isnt one at the moment. I will have to get someone to configure the firewalls, but I really want to understand what is good practice and what is not.

Thanks again

0
RowleyCommented:
You could have a single firewall with multiple interfaces, say a quad card in or multiple physical firewalls. Up to you really. VPN would be handled by a firewall or a device connected to the networks you want to provide access to.

To prevent general access to the DB vlan, only configure the management servers port with access, so you'd configure a trunk port which would allow access to vlans 10 and 20 for example. You can have a single interface on a server perform vlan tagging on packets, so you wouldn't necessarily need multiple physical interfaces.

hth.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

kdearingCommented:
I would put the DB in the DMZ with the WWW. Otherwise you may take a performance hit with a lot of database transaction traffic going through the firewall unnecessarily. With, of course, no outside access to the db.

Firewall Rules:
outside -> dmz    only port 80, only to www
outside -> inside    VPN only
inside -> dmz    full access, only from admin
0
RowleyCommented:
Sorry, but the argument you put forward to put a db in the dmz because of performance holds no sway, imho. Firewalls are there to handle traffic. If yours is under performing, its not the location of the database that you need to look at.
0
kdearingCommented:
Point taken.
But it is still unnecessary traffic, additional firewall rules and VLAN configs.
I prefer the KISS method, keep it simple...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.