[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Website through the inside interface.

Posted on 2016-07-28
6
Medium Priority
?
95 Views
Last Modified: 2016-08-02
Hello,

My IT Director is asking me to move our website our of our DMZ and into our network.  Am I in some alternate universe? We have a cisco ASA5516 and its currently on the DMZ interfaced NAT'd and sql poked through for db connectivity.

I advised him that this is not a best practice and I know that the box will only receive port 80 traffic but do we really want all this traffic through the inside interface?

We are company that does financial transactions and PCI compliance is a must. I have advised him twice that this is not recommended and a security risk but he wants to do it anyway.

He's not a Network guy he's a programmer.

I need the max amount of opinions.
0
Comment
Question by:FXOutofcontrol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 2000 total points
ID: 41733762
You are correct to push back. I would go so far as to refuse to do it and go over his head. The reason I say this is that depending on your network design, you could violate PCI compliance by moving this server internal. Your CEO/CFO would not be very happy if you did that.

Here is a link to Microsoft TechNet Article talking about Security Best Practices that you can provide to him for some light reading.

https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx
1
 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41733983
Thank you.

Also I need to see a consensus because I need to take this to my owners, any help is appreciated.
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 41733997
You might not get too may replies since we work on points here and how are you going to give points to everyone that replies. :)

I could be wrong, some may reply.

But to help you out here is another bit of information to go along with the Microsoft Best Practices I included above.

Cisco SAFE Reference Guide.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap6.html
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41734044
I totally understand, this will help greatly uf respected members of the IT community would help my department out.  Our owners dont know know who to believe because they not technical.

A good example was he's trying to hire a Cisco engineer at the CCNP level and out the same breath he wants to remove all vlans in our layer 2 environment. We have a CCM environment with CCX, CUC and CUPS.

We think that's nuts.
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41734124
Hi there,

I concur with our fellow expert.
Do not go against best practises no matter which level of hierarchy in your organization advises you to.
The reason being the DMZ was defined so that you protect/isolate your internal trusted network from external predators.
Creating a pinhole in your own network would eventually lead to a downfall in business.
The above links provided are excellent links that you could use as points of argument against the proposed design by your colleague.

Even refer to the below link for getting a basic gist of DMZ:
http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5
0
 
LVL 1

Author Closing Comment

by:FXOutofcontrol
ID: 41739328
thank you so much for answering my question I appreciate it greatly
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question