why put web server in DMZ?

I don't understand why would someone put the webserver in DMZ. the port forwarding can be done, why put it in dmz without firewall protection? I understand for gamers, sometimes they need to use dmz because they are too many ports need to be open and they are not sure the exactly the ports are. So for servers, what is the purpose? any companies put their production server in dmz?
okamonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
Actually, a three-way split-up of the network areas is a good idea not because one might not know all the ports, but in order not to make it easy to use a potential security hole in one system to use it as a stepping stone into the secured area ...
E.g., if someone were to find an exploit that allowed you shell access using the (allowed) access to port 80 of your webserver, if the system were located in the internal network, you could then access any internal system without further access control by the firewall. By putting systems that require access from the internet in a DMZ, you can set up the firewall to deny all access to the internal network, or set it up very tightly, as usually not many reasons exist to access the inside net from either the internet or the DMZ ...
Garry GlendownConsulting and Network/Security SpecialistCommented:
Also, in some situations it might be beneficial to even split it up more, thereby segregating multiple systems in their own specific area, increasing security between the DMZ systems ...
netballiCommented:
Depends on your setup. Many do this to isolate the web server from the internal network, which provides an extra layer of security. Some may locate a front end web server, email server, etc. in the DMZ and then put your database server(s) and clients in the internal network. If your web server, etc. is compromised, the hackers still need to get to your internal network to get any real data. In addition to the internal network, the DMZ is almost always protected from the Internet to some degree.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

lewisgCommented:
If you have multiple public IPs there is little reason for using a DMZ. However if you are short of public IPs using a DMZ allows you to run multiple servers AND have NAT access for a LAN on one IP. VERY handy!

Like Garry-G says locating a server in a DMZ (or another public IP) makes your LAN safer buy moving servers that are by their nature more open to compromise off your LAN.
okamonAuthor Commented:
so if I put my webserver in DMZ will that get hacked easily? as I know it's no firewall protected means all opens are open, sounds scary.
lewisgCommented:
The idea is that IF your webserver gets hacked it does not provide a path to your internal network. Mitigate the possible harm.

A properly configured webserver will expose no more ports to the wild world of the Internet than required so port forwards do little to protect the webserver. Once hacked a compromised webserver on your LAN would, in most cases, be a platform to mount other attacks on your (no longer) protected network.

Most webservers operate all day every day on public IPs not behind routers with port forwards. Firewalling is done through server configuration to turn off unused ports, temporarily deny IP addresses that are engaging in suspicious activity and fixing known vulnerabilities as soon as patched. Add in a good backup and recovery plan and you have done your job.

Like I stated previously if you have enough public IPs for your servers and private network router there is no compelling reason to use a DMZ.

If you want to run a webserver and are uncomfortable with the security implications the best choice is to take advantage of any one of the myriad of web hosting options available. In many cases this you will save money in the long run.
Garry GlendownConsulting and Network/Security SpecialistCommented:
Firewalls (nowadays) do more than just block ports or stateful inspection ... features like protocol inspection, IDS/IPS or content scanning allow you to more effectively secure your system ... of course, using a hosting/housing provider is the sensible alternative if you don't want to go through all the hassle and keep your internet connection simple to set up and operate securely ...
ganotganotCommented:
Internal network  (-----FIREWALL---)  DMZ (----FIREWALL---) (INTERNET)
 DMZ network example
okamonAuthor Commented:
Instead of using DMZ, can I setup my network with 2 routers, like below

Modem ----- router1 (web server) -------------router2 (internal)

So each router has firewall enabled, then I put my webserver, DNS, etc behind router1

Isn't this method more secure than the DMZ???
okamonAuthor Commented:
I still think with firewall protection for the webserver is more secure than the one without firewall (DMZ)
Let me know if I am wrong
Garry GlendownConsulting and Network/Security SpecialistCommented:
Why run two devices when you can do the same with one? Plus, if you actually set it up like that, you'd have to route everything through your web server ...
What do you mean with your last question? The Firewall is what provides the DMZ ...
lewisgCommented:
I doubt you are getting much in the way of usable protection vs a DMZ setup while you are likely subjecting your LAN clients to double NAT.

What make/model are router1 and router2? What sort of configuration do the routers have?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ganotganotCommented:
i doubt replacing firewall with Router Because Cisco IOS is very advance in routing/switching but not in security as it was designed with the primary function to intelligently routing/switching and NOT securing.

It's upto you How much critical your webserver is.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.