Solved

Safest way to publish web services?

Posted on 2011-09-28
3
549 Views
Last Modified: 2012-08-13
Hi,

Please can you give your opinion on the safest way to host internal web services?

We have 2 options…

1st option is that we simply place the web server in to a DMZ off the corporate firewall – Cisco ASA 5500. We would just allow connections to come in to the web server in the DMZ on ports 80 and 443, there is a static NAT rule on ASA to facilitate this. The web server would not be a member of the corporate domain, and would have no connectivity through the firewall to the inside network.

2nd option is that we locate the web server on the inside network. In addition, we host a unihomed Microsoft ISA 2006 server in the DMZ. We instead allow the port 80 and 443 connections to come in to the ISA server in the DMZ, then we allow the ISA server to access the web server on the inside network through the ASA firewall on ports 80 and 443. The ISA server will be acting as a reverse web proxy server and would not be a domain member.

Please can you somebody advise which option is more secure. and maybe provide pros and cons for each. would either setup work well, or is 1 option more secure than the other.

appreciate your feedback, and will respond quickly to any questions.

thanks,

L-Plate
0
Comment
Question by:L-Plate
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
ienaxxx earned 500 total points
ID: 36716297
Hi,
the second option is the more secure, since it also check for viruses in uploaded files and has APPLICATION FILTERING, that is: check that the commands passing here are really HTTP commands.

Top security would be achieved using a TMG 2010 , that has rules that identify exploit traffic, updated really often. So, if you are using IIS and, for example, they discover a 0 day vuln, you'll be protected even in the meantime before the necessary patches.

Additionally, i can suggest you to host both ISA/TMG AND the public webserver on the DMZ.


Moreover, i suggest you to study on ISA / TMG documentation to deploy your customized protection rules set.

HTH, Bye!
0
 

Author Comment

by:L-Plate
ID: 36716416
thanks ienaxxx for your quick reply.

it was my feeling that the 2nd option was best based on the layer 7 inspection. of course we only get layer 3 and 4 inspection on standard firewall.

to be honest, the 2nd option is the way that we currently have this configured in our network, but we DO have the public web server on the inside network. is this ok how it is, or do you strongly advise against this. Just FYI, we only allow the ISA server to talk to the web server on the inside network on ports 80 and 443. is this safe or should we move it in to the DMZ?
0
 

Author Closing Comment

by:L-Plate
ID: 36890688
Thanks for your help!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now