L-Plate
asked on
Safest way to publish web services?
Hi,
Please can you give your opinion on the safest way to host internal web services?
We have 2 options…
1st option is that we simply place the web server in to a DMZ off the corporate firewall – Cisco ASA 5500. We would just allow connections to come in to the web server in the DMZ on ports 80 and 443, there is a static NAT rule on ASA to facilitate this. The web server would not be a member of the corporate domain, and would have no connectivity through the firewall to the inside network.
2nd option is that we locate the web server on the inside network. In addition, we host a unihomed Microsoft ISA 2006 server in the DMZ. We instead allow the port 80 and 443 connections to come in to the ISA server in the DMZ, then we allow the ISA server to access the web server on the inside network through the ASA firewall on ports 80 and 443. The ISA server will be acting as a reverse web proxy server and would not be a domain member.
Please can you somebody advise which option is more secure. and maybe provide pros and cons for each. would either setup work well, or is 1 option more secure than the other.
appreciate your feedback, and will respond quickly to any questions.
thanks,
L-Plate
Please can you give your opinion on the safest way to host internal web services?
We have 2 options…
1st option is that we simply place the web server in to a DMZ off the corporate firewall – Cisco ASA 5500. We would just allow connections to come in to the web server in the DMZ on ports 80 and 443, there is a static NAT rule on ASA to facilitate this. The web server would not be a member of the corporate domain, and would have no connectivity through the firewall to the inside network.
2nd option is that we locate the web server on the inside network. In addition, we host a unihomed Microsoft ISA 2006 server in the DMZ. We instead allow the port 80 and 443 connections to come in to the ISA server in the DMZ, then we allow the ISA server to access the web server on the inside network through the ASA firewall on ports 80 and 443. The ISA server will be acting as a reverse web proxy server and would not be a domain member.
Please can you somebody advise which option is more secure. and maybe provide pros and cons for each. would either setup work well, or is 1 option more secure than the other.
appreciate your feedback, and will respond quickly to any questions.
thanks,
L-Plate
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help!
ASKER
it was my feeling that the 2nd option was best based on the layer 7 inspection. of course we only get layer 3 and 4 inspection on standard firewall.
to be honest, the 2nd option is the way that we currently have this configured in our network, but we DO have the public web server on the inside network. is this ok how it is, or do you strongly advise against this. Just FYI, we only allow the ISA server to talk to the web server on the inside network on ports 80 and 443. is this safe or should we move it in to the DMZ?