Solved

How do I configure a web hosting network

Posted on 2011-03-01
9
364 Views
Last Modified: 2012-05-11
Hello,

I have a small business and I'm bringing my web site and a handfull of web applications in-house. Here is what I have.

1 database server with SQL Server
1 Files Server
1 Web Server IIS 7
10 Local Client machines
1 Static IP

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?

Does that leave my database server open for attack from the Web?

Do I Need to separate the client machines and the database server from the incomming web traffic?

Thanks for your help,
gtar
0
Comment
Question by:gtar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Accepted Solution

by:
GuruChiu earned 167 total points
ID: 35014965
Cheap solution - connction everything onto your internal LAN and use port forwarding like you describe. The problem is if for any reason your web or mail server is hacked, hacker can use this as the jumping board to hack other machines in your LAN.

Common practice - if you have budget to purchase a firewall with DMZ (a separate zone on the firewall), you can put your internet facing servers on DMZ to isolate those from your internal network.
0
 
LVL 15

Assisted Solution

by:WalkaboutTigger
WalkaboutTigger earned 167 total points
ID: 35014981
I would recommend a small-business-class firewall such as a Sonicwall or Cisco ASA5505.
The Web server would be placed on a DMZ.  The database server would be placed on the trusted segment along with the file server and the clients.
The web server would be allowed to access the SQL server only and only on the necessary port to talk to the SQL server instance.
The clients would be allowed to access the web server and the Internet.
The Internet side would only be allowed access to the web server on ports 80 and 443 (HTTP and HTTPS).
0
 
LVL 12

Assisted Solution

by:Hilal1924
Hilal1924 earned 166 total points
ID: 35014982

My question is what is the best practice for setting up this type of network. Do I simply connect all my devices to a centrialzed LAN and use port forwarding to direct HTTP requests to the mail server?


Your assumption is right. You will need to put your web server either in DMZ or use port forwarding from your firewall. You will need to use static NAT to translate the Private IP address of your webserver to the static IP that you have.

Best practice is that your client machines and database server should NOT be accesible from outside, it is a HUGE risk. I don't think you will be able to accept incoming connections anway to your client machines due to limitations in static IP's.

Best thing to do in this scenario will be to put your Web Server in a DMZ and then allow web server to connect to your internal database server. Outsides Connections should not go directly to your database server.

Here is a good article that you can follow.

http://knowledge.3essentials.com/web-hosting/article/304/Security-Best-Practices.html
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 

Author Comment

by:gtar
ID: 35015088
What about the use of Domain Controller?
Is there any advantages or requirements for me to set up a local domain?
If so how does this effect the web server on the DMZ side of the firewall?
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 35015238
The web server would NOT be in the domain as the domain controller would be on the trusted network segment.
0
 

Author Comment

by:gtar
ID: 35017958
Thanks for your assistance on this I'm a software developer who needs to brush up on networking design.

I have uploaded a network diagram.
Does this look appropriate?
What about the muliple NIC's on the servers? Do they Load balance? Should I use more than one?

Thanks again! Network-Diagram.pdf Network-Diagram.pdf
0
 

Author Comment

by:gtar
ID: 35018043
Are there any suggestions on the firewall? I'm needing somthing with Gigabit connections and adiquet security features. I also would like to keep it under $1,000
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35021133
The diagram looks good except that the router/firewall typically is one device. There are router/firewall support multiple interfaces.

I do not aware any new name brand firewall/router under US$1,000 have GE interfaces. However typically for internet applications, your ISP bandwidth is limited to 100Mbps or less and there is no need for GE except you expect a lot of traffic between your web server and internal network.
0
 
LVL 1

Expert Comment

by:BasementCat
ID: 35023411
If you're really stuck both on price and gigabit ethernet, there are software firewalls out there (pfsense, ipcop, monowall, smoothwall, etc) that will run on almost any standard PC hardware - all you have to do is add extra network cards.  The downside, of course, is that you lose the reliability of a hardware firewall, though I've seen ipcop machines run for years with no issues.  However, as GuruChiu says, there is almost no scenario in which you'd actually need a firewall capable of handling that much traffic, because at that point the firewall is not going to be the bottleneck of your website.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What is an ASP Table on a Cisco ASA? 3 73
IP range 6 94
Configure IP on Sonicwall 2 41
deny host within subnet to anything but the GW 6 35
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question