How do I configure a web hosting network

Hello,

I have a small business and I'm bringing my web site and a handfull of web applications in-house. Here is what I have.

1 database server with SQL Server
1 Files Server
1 Web Server IIS 7
10 Local Client machines
1 Static IP

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?

Does that leave my database server open for attack from the Web?

Do I Need to separate the client machines and the database server from the incomming web traffic?

Thanks for your help,
gtar
gtarAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
GuruChiuConnect With a Mentor Commented:
Cheap solution - connction everything onto your internal LAN and use port forwarding like you describe. The problem is if for any reason your web or mail server is hacked, hacker can use this as the jumping board to hack other machines in your LAN.

Common practice - if you have budget to purchase a firewall with DMZ (a separate zone on the firewall), you can put your internet facing servers on DMZ to isolate those from your internal network.
0
 
Darrell PorterConnect With a Mentor Enterprise Business Process ArchitectCommented:
I would recommend a small-business-class firewall such as a Sonicwall or Cisco ASA5505.
The Web server would be placed on a DMZ.  The database server would be placed on the trusted segment along with the file server and the clients.
The web server would be allowed to access the SQL server only and only on the necessary port to talk to the SQL server instance.
The clients would be allowed to access the web server and the Internet.
The Internet side would only be allowed access to the web server on ports 80 and 443 (HTTP and HTTPS).
0
 
Hilal1924Connect With a Mentor Commented:

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?


Your assumption is right. You will need to put your web server either in DMZ or use port forwarding from your firewall. You will need to use static NAT to translate the Private IP address of your webserver to the static IP that you have.

Best practice is that your client machines and database server should NOT be accesible from outside, it is a HUGE risk. I don't think you will be able to accept incoming connections anway to your client machines due to limitations in static IP's.

Best thing to do in this scenario will be to put your Web Server in a DMZ and then allow web server to connect to your internal database server. Outsides Connections should not go directly to your database server.

Here is a good article that you can follow.

http://knowledge.3essentials.com/web-hosting/article/304/Security-Best-Practices.html
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
gtarAuthor Commented:
What about the use of Domain Controller?
Is there any advantages or requirements for me to set up a local domain?
If so how does this effect the web server on the DMZ side of the firewall?
0
 
Darrell PorterEnterprise Business Process ArchitectCommented:
The web server would NOT be in the domain as the domain controller would be on the trusted network segment.
0
 
gtarAuthor Commented:
Thanks for your assistance on this I'm a software developer who needs to brush up on networking design.

I have uploaded a network diagram.
Does this look appropriate?
What about the muliple NIC's on the servers? Do they Load balance? Should I use more than one?

Thanks again! Network-Diagram.pdf Network-Diagram.pdf
0
 
gtarAuthor Commented:
Are there any suggestions on the firewall? I'm needing somthing with Gigabit connections and adiquet security features. I also would like to keep it under $1,000
0
 
GuruChiuCommented:
The diagram looks good except that the router/firewall typically is one device. There are router/firewall support multiple interfaces.

I do not aware any new name brand firewall/router under US$1,000 have GE interfaces. However typically for internet applications, your ISP bandwidth is limited to 100Mbps or less and there is no need for GE except you expect a lot of traffic between your web server and internal network.
0
 
BasementCatCommented:
If you're really stuck both on price and gigabit ethernet, there are software firewalls out there (pfsense, ipcop, monowall, smoothwall, etc) that will run on almost any standard PC hardware - all you have to do is add extra network cards.  The downside, of course, is that you lose the reliability of a hardware firewall, though I've seen ipcop machines run for years with no issues.  However, as GuruChiu says, there is almost no scenario in which you'd actually need a firewall capable of handling that much traffic, because at that point the firewall is not going to be the bottleneck of your website.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.