E1V1S
asked on
Web Server IP configuration
Hello,
My company is adding a web server to the network. We only have a watch guard firewall, file server, development web server and exchange server on our AD domain currently. The new web server is a Dell PE R210ii Windows Server 2008 R2 Standard with two NICs. My question is where should I put the web server in the network? Should I give it two public IP's and remote into it or should one for public and one for private? If I do put the second private IP do I put that server into a DMZ or VLAN? Our switch is not a L3 switch so that mean we would have to remote if it is on a VLAN. Our other web servers are off site and we just VPN into them. Any information to help me plan this out would be greatly appreciated. Thanks
My company is adding a web server to the network. We only have a watch guard firewall, file server, development web server and exchange server on our AD domain currently. The new web server is a Dell PE R210ii Windows Server 2008 R2 Standard with two NICs. My question is where should I put the web server in the network? Should I give it two public IP's and remote into it or should one for public and one for private? If I do put the second private IP do I put that server into a DMZ or VLAN? Our switch is not a L3 switch so that mean we would have to remote if it is on a VLAN. Our other web servers are off site and we just VPN into them. Any information to help me plan this out would be greatly appreciated. Thanks
I will have to say that "ryan80" comments is very dangerous for a Web Server or any server.
By doing so, your server will be exposed to the "World" any one and I mean really any one can attack you server, DMZ does not offer any security at all, I will not recommend this for a server, a regular station/client... maybe!.
To better answer your question, lets start with communications: I'm not sure about your bandwidth or traffic to this server so I will suggest to duplicate my suggestions accordingly, so based on what you provided I will team up the 2 NICs in one IP, add two more in case of failure, create a rule on the router/firewall to redirect the Private IP to the server's. Make sure your ISP had register your site properly in his DNS records.
Now, connecting to it/them, you mention VPN for off-site server, please clarify as I don't clearly understand how you have access to an off-site web server unless it is located on another branch. By connecting, you mean access it for maintenance, administration, website development and maintenance, access to webpages/intranet or all of the above?.
When accessing servers with "external" names different to internals you should update your DNS server records to match and redirect your external settings to avoid confusing your clients/users.
Good Luck
By doing so, your server will be exposed to the "World" any one and I mean really any one can attack you server, DMZ does not offer any security at all, I will not recommend this for a server, a regular station/client... maybe!.
To better answer your question, lets start with communications: I'm not sure about your bandwidth or traffic to this server so I will suggest to duplicate my suggestions accordingly, so based on what you provided I will team up the 2 NICs in one IP, add two more in case of failure, create a rule on the router/firewall to redirect the Private IP to the server's. Make sure your ISP had register your site properly in his DNS records.
Now, connecting to it/them, you mention VPN for off-site server, please clarify as I don't clearly understand how you have access to an off-site web server unless it is located on another branch. By connecting, you mean access it for maintenance, administration, website development and maintenance, access to webpages/intranet or all of the above?.
When accessing servers with "external" names different to internals you should update your DNS server records to match and redirect your external settings to avoid confusing your clients/users.
Good Luck
ASKER
So basically I want to leave the web servers and exchange on the local subnet and make 1:1 NAT translations for each public to private IPs? Isn't that less secure because if the server is compromissed the attacker now has access to the entire subnet? I was under the impression that Ryan80 answer was the "norm". I was originally going to setup the DMZ in a two firewall system isolating the LAN from the DMZ however after reading Ryan80 comments it could be accomplish with one firewall.
The web server is going to used for eCommerce site with another front end for the client to connect to the SQL server to control the inventory, shipping, and ordering. Right now the SQL server is on the same box as the web server. I would think that wouldn't be a good idea now that I am thinking about it.
The web servers that we use now are hosted by another company and are their network. We use software VPN (PPTP), host -to host connecting to the server via RDC for maintenance, administration, website development, etc.
The web server is going to used for eCommerce site with another front end for the client to connect to the SQL server to control the inventory, shipping, and ordering. Right now the SQL server is on the same box as the web server. I would think that wouldn't be a good idea now that I am thinking about it.
The web servers that we use now are hosted by another company and are their network. We use software VPN (PPTP), host -to host connecting to the server via RDC for maintenance, administration, website development, etc.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your detailed response. I never thought about putting the DMZ in a different domain. I will be setting this up on the weekend. I will let you know how it goes.
Relating to having your web server and sql server on the same server, i would separate those roles if possible. personally I use two dmz zones, one with the web server front ends and the other with servers that contain the actual data, like sql. That way only the web is exposed to the public and it pulls data from the sql server. That way if the web server is compromised, it still only has access to the sql server over the sql protocol (since it is blocked by the firewall). That then limits the attack surface to only sql, and can be limited as to what kind of queries or stored procedures that can be run. So you actual data will be not be compromised even if the web server is.
In our case we have the data mirrored from our internal databases to the sql server in the second dmz. It depends on how the data will be manipulated, we make all changes internally and then the data that is displayed on the web site cannot be changed. Of course this all depends on your needs and the risk that you would be exposed to if your data was compromised.
I dont see an issue with using a remote VPN to manage the servers. That is what I would recommend. Using a VPN to connect and then managing from there is a secure way to accomplish this.
In our case we have the data mirrored from our internal databases to the sql server in the second dmz. It depends on how the data will be manipulated, we make all changes internally and then the data that is displayed on the web site cannot be changed. Of course this all depends on your needs and the risk that you would be exposed to if your data was compromised.
I dont see an issue with using a remote VPN to manage the servers. That is what I would recommend. Using a VPN to connect and then managing from there is a secure way to accomplish this.
ASKER
Are all your servers physical server or are some VMs? I only have three physical server and want to get the most out of them. Is there anyway to put VM in the dmz and not the physical server? I wouldn't think there would be because all packets would be going through the host nic in the long run.
With a vm host just add more physical nics connected to the dmz network and put them in a separate vswitch that is dedicated to the dmz. You could use the same nic and use vlans, but I would recommend different physical nics.
Adjust the firewall rules as needed for your requirements and services.