Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Safest way to publish web services?

Posted on 2011-09-28
3
Medium Priority
?
581 Views
Last Modified: 2012-08-13
Hi,

Please can you give your opinion on the safest way to host internal web services?

We have 2 options…

1st option is that we simply place the web server in to a DMZ off the corporate firewall – Cisco ASA 5500. We would just allow connections to come in to the web server in the DMZ on ports 80 and 443, there is a static NAT rule on ASA to facilitate this. The web server would not be a member of the corporate domain, and would have no connectivity through the firewall to the inside network.

2nd option is that we locate the web server on the inside network. In addition, we host a unihomed Microsoft ISA 2006 server in the DMZ. We instead allow the port 80 and 443 connections to come in to the ISA server in the DMZ, then we allow the ISA server to access the web server on the inside network through the ASA firewall on ports 80 and 443. The ISA server will be acting as a reverse web proxy server and would not be a domain member.

Please can you somebody advise which option is more secure. and maybe provide pros and cons for each. would either setup work well, or is 1 option more secure than the other.

appreciate your feedback, and will respond quickly to any questions.

thanks,

L-Plate
0
Comment
Question by:L-Plate
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 10

Accepted Solution

by:
ienaxxx earned 2000 total points
ID: 36716297
Hi,
the second option is the more secure, since it also check for viruses in uploaded files and has APPLICATION FILTERING, that is: check that the commands passing here are really HTTP commands.

Top security would be achieved using a TMG 2010 , that has rules that identify exploit traffic, updated really often. So, if you are using IIS and, for example, they discover a 0 day vuln, you'll be protected even in the meantime before the necessary patches.

Additionally, i can suggest you to host both ISA/TMG AND the public webserver on the DMZ.


Moreover, i suggest you to study on ISA / TMG documentation to deploy your customized protection rules set.

HTH, Bye!
0
 

Author Comment

by:L-Plate
ID: 36716416
thanks ienaxxx for your quick reply.

it was my feeling that the 2nd option was best based on the layer 7 inspection. of course we only get layer 3 and 4 inspection on standard firewall.

to be honest, the 2nd option is the way that we currently have this configured in our network, but we DO have the public web server on the inside network. is this ok how it is, or do you strongly advise against this. Just FYI, we only allow the ISA server to talk to the web server on the inside network on ports 80 and 443. is this safe or should we move it in to the DMZ?
0
 

Author Closing Comment

by:L-Plate
ID: 36890688
Thanks for your help!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question