Solved

Website through the inside interface.

Posted on 2016-07-28
6
79 Views
Last Modified: 2016-08-02
Hello,

My IT Director is asking me to move our website our of our DMZ and into our network.  Am I in some alternate universe? We have a cisco ASA5516 and its currently on the DMZ interfaced NAT'd and sql poked through for db connectivity.

I advised him that this is not a best practice and I know that the box will only receive port 80 traffic but do we really want all this traffic through the inside interface?

We are company that does financial transactions and PCI compliance is a must. I have advised him twice that this is not recommended and a security risk but he wants to do it anyway.

He's not a Network guy he's a programmer.

I need the max amount of opinions.
0
Comment
Question by:FXOutofcontrol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 500 total points
ID: 41733762
You are correct to push back. I would go so far as to refuse to do it and go over his head. The reason I say this is that depending on your network design, you could violate PCI compliance by moving this server internal. Your CEO/CFO would not be very happy if you did that.

Here is a link to Microsoft TechNet Article talking about Security Best Practices that you can provide to him for some light reading.

https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx
1
 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41733983
Thank you.

Also I need to see a consensus because I need to take this to my owners, any help is appreciated.
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 41733997
You might not get too may replies since we work on points here and how are you going to give points to everyone that replies. :)

I could be wrong, some may reply.

But to help you out here is another bit of information to go along with the Microsoft Best Practices I included above.

Cisco SAFE Reference Guide.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap6.html
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41734044
I totally understand, this will help greatly uf respected members of the IT community would help my department out.  Our owners dont know know who to believe because they not technical.

A good example was he's trying to hire a Cisco engineer at the CCNP level and out the same breath he wants to remove all vlans in our layer 2 environment. We have a CCM environment with CCX, CUC and CUPS.

We think that's nuts.
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41734124
Hi there,

I concur with our fellow expert.
Do not go against best practises no matter which level of hierarchy in your organization advises you to.
The reason being the DMZ was defined so that you protect/isolate your internal trusted network from external predators.
Creating a pinhole in your own network would eventually lead to a downfall in business.
The above links provided are excellent links that you could use as points of argument against the proposed design by your colleague.

Even refer to the below link for getting a basic gist of DMZ:
http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5
0
 
LVL 1

Author Closing Comment

by:FXOutofcontrol
ID: 41739328
thank you so much for answering my question I appreciate it greatly
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question