?
Solved

Website through the inside interface.

Posted on 2016-07-28
6
Medium Priority
?
100 Views
Last Modified: 2016-08-02
Hello,

My IT Director is asking me to move our website our of our DMZ and into our network.  Am I in some alternate universe? We have a cisco ASA5516 and its currently on the DMZ interfaced NAT'd and sql poked through for db connectivity.

I advised him that this is not a best practice and I know that the box will only receive port 80 traffic but do we really want all this traffic through the inside interface?

We are company that does financial transactions and PCI compliance is a must. I have advised him twice that this is not recommended and a security risk but he wants to do it anyway.

He's not a Network guy he's a programmer.

I need the max amount of opinions.
0
Comment
Question by:FXOutofcontrol
  • 3
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
Gary Dewrell earned 2000 total points
ID: 41733762
You are correct to push back. I would go so far as to refuse to do it and go over his head. The reason I say this is that depending on your network design, you could violate PCI compliance by moving this server internal. Your CEO/CFO would not be very happy if you did that.

Here is a link to Microsoft TechNet Article talking about Security Best Practices that you can provide to him for some light reading.

https://social.technet.microsoft.com/wiki/contents/articles/13974.security-best-practices-to-protect-internet-facing-web-servers.aspx
1
 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41733983
Thank you.

Also I need to see a consensus because I need to take this to my owners, any help is appreciated.
0
 
LVL 12

Expert Comment

by:Gary Dewrell
ID: 41733997
You might not get too may replies since we work on points here and how are you going to give points to everyone that replies. :)

I could be wrong, some may reply.

But to help you out here is another bit of information to go along with the Microsoft Best Practices I included above.

Cisco SAFE Reference Guide.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap6.html
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 1

Author Comment

by:FXOutofcontrol
ID: 41734044
I totally understand, this will help greatly uf respected members of the IT community would help my department out.  Our owners dont know know who to believe because they not technical.

A good example was he's trying to hire a Cisco engineer at the CCNP level and out the same breath he wants to remove all vlans in our layer 2 environment. We have a CCM environment with CCX, CUC and CUPS.

We think that's nuts.
0
 
LVL 9

Expert Comment

by:Ian Arakel
ID: 41734124
Hi there,

I concur with our fellow expert.
Do not go against best practises no matter which level of hierarchy in your organization advises you to.
The reason being the DMZ was defined so that you protect/isolate your internal trusted network from external predators.
Creating a pinhole in your own network would eventually lead to a downfall in business.
The above links provided are excellent links that you could use as points of argument against the proposed design by your colleague.

Even refer to the below link for getting a basic gist of DMZ:
http://www.ciscopress.com/articles/article.asp?p=1823359&seqNum=5
0
 
LVL 1

Author Closing Comment

by:FXOutofcontrol
ID: 41739328
thank you so much for answering my question I appreciate it greatly
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question