Solved

Website through the inside interface.

Posted on 2016-07-28
6
69 Views
Last Modified: 2016-08-02
Hello,

My IT Director is asking me to move our website our of our DMZ and into our network.  Am I in some alternate universe? We have a cisco ASA5516 and its currently on the DMZ interfaced NAT'd and sql poked through for db connectivity.

I advised him that this is not a best practice and I know that the box will only receive port 80 traffic but do we really want all this traffic through the inside interface?

We are company that does financial transactions and PCI compliance is a must. I have advised him twice that this is not recommended and a security risk but he wants to do it anyway.

He's not a Network guy he's a programmer.

I need the max amount of opinions.
0
Comment
Question by:FXOutofcontrol
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 500 total points
ID: 41733762
You are correct to push back. I would go so far as to refuse to do it and go over his head. The reason I say this is that depending on your network design, you could violate PCI compliance by moving this server internal. Your CEO/CFO would not be very happy if you did that.

Here is a link to Microsoft TechNet Article talking about Security Best Practices that you can provide to him for some light reading.

https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx
1
 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41733983
Thank you.

Also I need to see a consensus because I need to take this to my owners, any help is appreciated.
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 41733997
You might not get too may replies since we work on points here and how are you going to give points to everyone that replies. :)

I could be wrong, some may reply.

But to help you out here is another bit of information to go along with the Microsoft Best Practices I included above.

Cisco SAFE Reference Guide.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap6.html
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41734044
I totally understand, this will help greatly uf respected members of the IT community would help my department out.  Our owners dont know know who to believe because they not technical.

A good example was he's trying to hire a Cisco engineer at the CCNP level and out the same breath he wants to remove all vlans in our layer 2 environment. We have a CCM environment with CCX, CUC and CUPS.

We think that's nuts.
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41734124
Hi there,

I concur with our fellow expert.
Do not go against best practises no matter which level of hierarchy in your organization advises you to.
The reason being the DMZ was defined so that you protect/isolate your internal trusted network from external predators.
Creating a pinhole in your own network would eventually lead to a downfall in business.
The above links provided are excellent links that you could use as points of argument against the proposed design by your colleague.

Even refer to the below link for getting a basic gist of DMZ:
http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5
0
 
LVL 1

Author Closing Comment

by:FXOutofcontrol
ID: 41739328
thank you so much for answering my question I appreciate it greatly
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How VPC help preventing STP Loops 4 100
WLC 5508 controller configuration 4 77
Cisco WAP POE power 28 79
ospf neighbors not coming up 6 30
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question