Website through the inside interface.

Hello,

My IT Director is asking me to move our website our of our DMZ and into our network.  Am I in some alternate universe? We have a cisco ASA5516 and its currently on the DMZ interfaced NAT'd and sql poked through for db connectivity.

I advised him that this is not a best practice and I know that the box will only receive port 80 traffic but do we really want all this traffic through the inside interface?

We are company that does financial transactions and PCI compliance is a must. I have advised him twice that this is not recommended and a security risk but he wants to do it anyway.

He's not a Network guy he's a programmer.

I need the max amount of opinions.
LVL 1
FXOutofcontrolAsked:
Who is Participating?
 
Gary DewrellConnect With a Mentor Senior Network AdministratorCommented:
You are correct to push back. I would go so far as to refuse to do it and go over his head. The reason I say this is that depending on your network design, you could violate PCI compliance by moving this server internal. Your CEO/CFO would not be very happy if you did that.

Here is a link to Microsoft TechNet Article talking about Security Best Practices that you can provide to him for some light reading.

https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx
1
 
FXOutofcontrolAuthor Commented:
Thank you.

Also I need to see a consensus because I need to take this to my owners, any help is appreciated.
0
 
Gary DewrellSenior Network AdministratorCommented:
You might not get too may replies since we work on points here and how are you going to give points to everyone that replies. :)

I could be wrong, some may reply.

But to help you out here is another bit of information to go along with the Microsoft Best Practices I included above.

Cisco SAFE Reference Guide.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap6.html
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
FXOutofcontrolAuthor Commented:
I totally understand, this will help greatly uf respected members of the IT community would help my department out.  Our owners dont know know who to believe because they not technical.

A good example was he's trying to hire a Cisco engineer at the CCNP level and out the same breath he wants to remove all vlans in our layer 2 environment. We have a CCM environment with CCX, CUC and CUPS.

We think that's nuts.
0
 
Ian ArakelNetwork Lead: Data and SecurityCommented:
Hi there,

I concur with our fellow expert.
Do not go against best practises no matter which level of hierarchy in your organization advises you to.
The reason being the DMZ was defined so that you protect/isolate your internal trusted network from external predators.
Creating a pinhole in your own network would eventually lead to a downfall in business.
The above links provided are excellent links that you could use as points of argument against the proposed design by your colleague.

Even refer to the below link for getting a basic gist of DMZ:
http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5
0
 
FXOutofcontrolAuthor Commented:
thank you so much for answering my question I appreciate it greatly
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.