?
Solved

Ideal network configuration for web server deployment

Posted on 2008-11-05
6
Medium Priority
?
625 Views
Last Modified: 2012-05-05
Dear all,

First of all I would like to thank any of you guys who took their time to read this post. I appreciate the service you offer.

First and foremost I am a programmer with a sore achilles heel...I have always kept my knowledge level of networks to a minimum and it has come back to haunt me.

I have developed a web application that will be hosted on three servers and a backup server:
1 - Webserver
2 - Admin server
3 - Database server
4 - Replicated database server

The webserver's job is to service clients taht access a public site. The machine needs direct access to the database server in order to fullfil a number of select/update SQL statements.

The Admin server hosts the administration site that manages the whole application. This server should be accessible to people within the company's local network, and a few people who connect from the outside world.

The database server services both the WWW and Admin server and needless to say should be the most protected.

I have conducted a lot of research and have accumulated a number of ideas, but I am still not entirely sure on the best options I have with regards to the network design that should be employed. The servers have been purchased, but I still need to buy the firewalls and switches that will complement the setup.

Could anyone give me a few tips on what network setup will potect the database in the best manner?

I also have the following questions which are related to this post:

1 - The admin server will service about 5-10 external users. Do you suggest making it only accessible via VPN?
2 - I will need faciliuty to service all 4 servers via VPN. Is this possible, since the DB server will be on a different tier?
3 - Do I need a firewall between the WWW/Admin servers and the Database?

I apologise for the long post and thank you all in anticipation.

Best regards





0
Comment
Question by:andregenovese
  • 3
  • 2
6 Comments
 
LVL 13

Accepted Solution

by:
Rowley earned 1500 total points
ID: 22884665
Usually, you might have your web server between an external and an internal firewall in a DMZ, allowing only http access through the public firewall then only DB connections from your web host through to your database.

You can separate the private network using vlans, allow only the admin workstation to connect through to your DB vlan and maybe use ssh keys with agents to prevent encrypted passwords flying about the network.

You can allow vpn back to your user network, then ask users to authenticate onto the admin server before connecting onto the db from there. This might provide you with an additional layer of security.

So...where's your infrastructure guy? On vacation?

0
 

Author Comment

by:andregenovese
ID: 22884758
Hi,

Thanks for your comment.

"Usually, you might have your web server between an external and an internal firewall in a DMZ, allowing only http access through the public firewall then only DB connections from your web host through to your database. "

I understand and agree totally.

"You can separate the private network using vlans, allow only the admin workstation to connect through to your DB vlan and maybe use ssh keys with agents to prevent encrypted passwords flying about the network. "

The admin workstations need only connect to the Admin server, so I could block access to the DB Vlan from teh private network. I assume that the firewall can be configured to allow access from the private network to the Admin server on the DMZ?

"You can allow vpn back to your user network, then ask users to authenticate onto the admin server before connecting onto the db from there. This might provide you with an additional layer of security."

Would this require an additional firewall, or can this feature be services by the same firewall connected to the webserver?

"So...where's your infrastructure guy? On vacation?"

:) good question...there isnt one at the moment. I will have to get someone to configure the firewalls, but I really want to understand what is good practice and what is not.

Thanks again

0
 
LVL 13

Expert Comment

by:Rowley
ID: 22884929
You could have a single firewall with multiple interfaces, say a quad card in or multiple physical firewalls. Up to you really. VPN would be handled by a firewall or a device connected to the networks you want to provide access to.

To prevent general access to the DB vlan, only configure the management servers port with access, so you'd configure a trunk port which would allow access to vlans 10 and 20 for example. You can have a single interface on a server perform vlan tagging on packets, so you wouldn't necessarily need multiple physical interfaces.

hth.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 13

Expert Comment

by:kdearing
ID: 22885127
I would put the DB in the DMZ with the WWW. Otherwise you may take a performance hit with a lot of database transaction traffic going through the firewall unnecessarily. With, of course, no outside access to the db.

Firewall Rules:
outside -> dmz    only port 80, only to www
outside -> inside    VPN only
inside -> dmz    full access, only from admin
0
 
LVL 13

Expert Comment

by:Rowley
ID: 22885290
Sorry, but the argument you put forward to put a db in the dmz because of performance holds no sway, imho. Firewalls are there to handle traffic. If yours is under performing, its not the location of the database that you need to look at.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 22887100
Point taken.
But it is still unnecessary traffic, additional firewall rules and VLAN configs.
I prefer the KISS method, keep it simple...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
What You Need to Know when Searching for a Webhost Provider
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question