Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I configure a web hosting network

Posted on 2011-03-01
9
Medium Priority
?
369 Views
Last Modified: 2012-05-11
Hello,

I have a small business and I'm bringing my web site and a handfull of web applications in-house. Here is what I have.

1 database server with SQL Server
1 Files Server
1 Web Server IIS 7
10 Local Client machines
1 Static IP

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?

Does that leave my database server open for attack from the Web?

Do I Need to separate the client machines and the database server from the incomming web traffic?

Thanks for your help,
gtar
0
Comment
Question by:gtar
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Accepted Solution

by:
GuruChiu earned 668 total points
ID: 35014965
Cheap solution - connction everything onto your internal LAN and use port forwarding like you describe. The problem is if for any reason your web or mail server is hacked, hacker can use this as the jumping board to hack other machines in your LAN.

Common practice - if you have budget to purchase a firewall with DMZ (a separate zone on the firewall), you can put your internet facing servers on DMZ to isolate those from your internal network.
0
 
LVL 15

Assisted Solution

by:WalkaboutTigger
WalkaboutTigger earned 668 total points
ID: 35014981
I would recommend a small-business-class firewall such as a Sonicwall or Cisco ASA5505.
The Web server would be placed on a DMZ.  The database server would be placed on the trusted segment along with the file server and the clients.
The web server would be allowed to access the SQL server only and only on the necessary port to talk to the SQL server instance.
The clients would be allowed to access the web server and the Internet.
The Internet side would only be allowed access to the web server on ports 80 and 443 (HTTP and HTTPS).
0
 
LVL 12

Assisted Solution

by:Hilal1924
Hilal1924 earned 664 total points
ID: 35014982

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?


Your assumption is right. You will need to put your web server either in DMZ or use port forwarding from your firewall. You will need to use static NAT to translate the Private IP address of your webserver to the static IP that you have.

Best practice is that your client machines and database server should NOT be accesible from outside, it is a HUGE risk. I don't think you will be able to accept incoming connections anway to your client machines due to limitations in static IP's.

Best thing to do in this scenario will be to put your Web Server in a DMZ and then allow web server to connect to your internal database server. Outsides Connections should not go directly to your database server.

Here is a good article that you can follow.

http://knowledge.3essentials.com/web-hosting/article/304/Security-Best-Practices.html
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:gtar
ID: 35015088
What about the use of Domain Controller?
Is there any advantages or requirements for me to set up a local domain?
If so how does this effect the web server on the DMZ side of the firewall?
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 35015238
The web server would NOT be in the domain as the domain controller would be on the trusted network segment.
0
 

Author Comment

by:gtar
ID: 35017958
Thanks for your assistance on this I'm a software developer who needs to brush up on networking design.

I have uploaded a network diagram.
Does this look appropriate?
What about the muliple NIC's on the servers? Do they Load balance? Should I use more than one?

Thanks again! Network-Diagram.pdf Network-Diagram.pdf
0
 

Author Comment

by:gtar
ID: 35018043
Are there any suggestions on the firewall? I'm needing somthing with Gigabit connections and adiquet security features. I also would like to keep it under $1,000
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35021133
The diagram looks good except that the router/firewall typically is one device. There are router/firewall support multiple interfaces.

I do not aware any new name brand firewall/router under US$1,000 have GE interfaces. However typically for internet applications, your ISP bandwidth is limited to 100Mbps or less and there is no need for GE except you expect a lot of traffic between your web server and internal network.
0
 
LVL 1

Expert Comment

by:BasementCat
ID: 35023411
If you're really stuck both on price and gigabit ethernet, there are software firewalls out there (pfsense, ipcop, monowall, smoothwall, etc) that will run on almost any standard PC hardware - all you have to do is add extra network cards.  The downside, of course, is that you lose the reliability of a hardware firewall, though I've seen ipcop machines run for years with no issues.  However, as GuruChiu says, there is almost no scenario in which you'd actually need a firewall capable of handling that much traffic, because at that point the firewall is not going to be the bottleneck of your website.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question