Solved

How do I configure a web hosting network

Posted on 2011-03-01
9
360 Views
Last Modified: 2012-05-11
Hello,

I have a small business and I'm bringing my web site and a handfull of web applications in-house. Here is what I have.

1 database server with SQL Server
1 Files Server
1 Web Server IIS 7
10 Local Client machines
1 Static IP

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?

Does that leave my database server open for attack from the Web?

Do I Need to separate the client machines and the database server from the incomming web traffic?

Thanks for your help,
gtar
0
Comment
Question by:gtar
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Accepted Solution

by:
GuruChiu earned 167 total points
ID: 35014965
Cheap solution - connction everything onto your internal LAN and use port forwarding like you describe. The problem is if for any reason your web or mail server is hacked, hacker can use this as the jumping board to hack other machines in your LAN.

Common practice - if you have budget to purchase a firewall with DMZ (a separate zone on the firewall), you can put your internet facing servers on DMZ to isolate those from your internal network.
0
 
LVL 15

Assisted Solution

by:WalkaboutTigger
WalkaboutTigger earned 167 total points
ID: 35014981
I would recommend a small-business-class firewall such as a Sonicwall or Cisco ASA5505.
The Web server would be placed on a DMZ.  The database server would be placed on the trusted segment along with the file server and the clients.
The web server would be allowed to access the SQL server only and only on the necessary port to talk to the SQL server instance.
The clients would be allowed to access the web server and the Internet.
The Internet side would only be allowed access to the web server on ports 80 and 443 (HTTP and HTTPS).
0
 
LVL 12

Assisted Solution

by:Hilal1924
Hilal1924 earned 166 total points
ID: 35014982

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?


Your assumption is right. You will need to put your web server either in DMZ or use port forwarding from your firewall. You will need to use static NAT to translate the Private IP address of your webserver to the static IP that you have.

Best practice is that your client machines and database server should NOT be accesible from outside, it is a HUGE risk. I don't think you will be able to accept incoming connections anway to your client machines due to limitations in static IP's.

Best thing to do in this scenario will be to put your Web Server in a DMZ and then allow web server to connect to your internal database server. Outsides Connections should not go directly to your database server.

Here is a good article that you can follow.

http://knowledge.3essentials.com/web-hosting/article/304/Security-Best-Practices.html
0
 

Author Comment

by:gtar
ID: 35015088
What about the use of Domain Controller?
Is there any advantages or requirements for me to set up a local domain?
If so how does this effect the web server on the DMZ side of the firewall?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 35015238
The web server would NOT be in the domain as the domain controller would be on the trusted network segment.
0
 

Author Comment

by:gtar
ID: 35017958
Thanks for your assistance on this I'm a software developer who needs to brush up on networking design.

I have uploaded a network diagram.
Does this look appropriate?
What about the muliple NIC's on the servers? Do they Load balance? Should I use more than one?

Thanks again! Network-Diagram.pdf Network-Diagram.pdf
0
 

Author Comment

by:gtar
ID: 35018043
Are there any suggestions on the firewall? I'm needing somthing with Gigabit connections and adiquet security features. I also would like to keep it under $1,000
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35021133
The diagram looks good except that the router/firewall typically is one device. There are router/firewall support multiple interfaces.

I do not aware any new name brand firewall/router under US$1,000 have GE interfaces. However typically for internet applications, your ISP bandwidth is limited to 100Mbps or less and there is no need for GE except you expect a lot of traffic between your web server and internal network.
0
 
LVL 1

Expert Comment

by:BasementCat
ID: 35023411
If you're really stuck both on price and gigabit ethernet, there are software firewalls out there (pfsense, ipcop, monowall, smoothwall, etc) that will run on almost any standard PC hardware - all you have to do is add extra network cards.  The downside, of course, is that you lose the reliability of a hardware firewall, though I've seen ipcop machines run for years with no issues.  However, as GuruChiu says, there is almost no scenario in which you'd actually need a firewall capable of handling that much traffic, because at that point the firewall is not going to be the bottleneck of your website.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now