WebServer behind firewall
Windows Server Forum Index Windows Server
Server discussion on Windows platform.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web winserverhelp.com
WebServer behind firewall

 
Post new topic   Reply to topic    Windows Server Forum Index -> Security
Author Message
Paul MacFarlane
Guest
Posted: Fri Dec 10, 2004 9:38 pm    Post subject: WebServer behind firewall Reply with quote
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible from our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie 192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul
Back to top
Lanwench [MVP - Exchange]
Guest
Posted: Sat Dec 11, 2004 12:03 am    Post subject: Re: WebServer behind firewall Reply with quote
Paul MacFarlane wrote:
Quote:
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible
from our internal network but prevent and secure our network from the
outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie
192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the
webserver and our network?

Any suggestions or pointer appreciated....

Thanks,
Paul

I'd put the webserver in a secured DMZ. Don't put it on your LAN.
Back to top
Paul MacFarlane
Guest
Posted: Sat Dec 11, 2004 12:37 am    Post subject: Re: WebServer behind firewall Reply with quote
Would you enable a VPN between them? I'm thinking not...

One of the issues is we want to have access from our website to our SQL
server.
What is the best way of securing that situation? Sql on the webserver
w/Replication?

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:eZJSsOu3EHA.1396@tk2msftngp13.phx.gbl...
Quote:
Paul MacFarlane wrote:
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible
from our internal network but prevent and secure our network from the
outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie
192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the
webserver and our network?

Any suggestions or pointer appreciated....

Thanks,
Paul

I'd put the webserver in a secured DMZ. Don't put it on your LAN.

Back to top
Steven L Umbach
Guest
Posted: Sat Dec 11, 2004 1:21 am    Post subject: Re: WebServer behind firewall Reply with quote
There are a number of ways you can do this. Using two firewalls would be a
good bet. One in front of the web server and one between the lan and the web
server. The one in front of the web server could be configured to allow only
ports 80/443 to the web server and the one between the lan and the web
server would be configured to allow only traffic to and from the lan and the
web server, This way if the web server is compromised, the attacker will
have limited access to your internal network. You could use ipsec to protect
traffic between the web server and the internal lan to encrypt the traffic
and make the firewall easier to configure. Ipsec can use kerberos [within a
domain], certificate, or preshared key machine authentication. You can not
however use ipsec negotiation between a domain controller and a domain
computer. The link below goes into much more detail on possible firewall
configurations. I also strongly urge you to read the Windows 2003 Sever
Security Guide on how to harder servers and it also includes tips on how to
use ipsec "filtering" as another layer of security. --- Steve

http://www.microsoft.com/technet/Security/topics/network/firewall.mspx

"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
Quote:
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible from
our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie 192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul

Back to top
Paul MacFarlane
Guest
Posted: Sat Dec 11, 2004 5:20 am    Post subject: Re: WebServer behind firewall Reply with quote
Thank you much....

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%238e6Xzu3EHA.2568@TK2MSFTNGP10.phx.gbl...
Quote:
There are a number of ways you can do this. Using two firewalls would be a
good bet. One in front of the web server and one between the lan and the
web
server. The one in front of the web server could be configured to allow
only
ports 80/443 to the web server and the one between the lan and the web
server would be configured to allow only traffic to and from the lan and
the
web server, This way if the web server is compromised, the attacker will
have limited access to your internal network. You could use ipsec to
protect
traffic between the web server and the internal lan to encrypt the traffic
and make the firewall easier to configure. Ipsec can use kerberos [within
a
domain], certificate, or preshared key machine authentication. You can not
however use ipsec negotiation between a domain controller and a domain
computer. The link below goes into much more detail on possible firewall
configurations. I also strongly urge you to read the Windows 2003 Sever
Security Guide on how to harder servers and it also includes tips on how
to
use ipsec "filtering" as another layer of security. --- Steve

http://www.microsoft.com/technet/Security/topics/network/firewall.mspx

"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible from
our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie
192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver
and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul



Back to top
Roger Abell
Guest
Posted: Sun Dec 12, 2004 9:27 am    Post subject: Re: WebServer behind firewall Reply with quote
You know, it all really depends on the value of the webserver, the
volume of traffic, "visibility" of the website (i.e. attractiveness of
it as a target), etc..
The first thing I noticed is that, as you now have this external at
the ISP, you obviously have no need for it to be internal - it is not
speaking with anything inside now. So, using KISS principle, if
you do not need it inside why put it there and so invite inside the
traffic and any potential bad things that might happen if that box
were compromised ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
Quote:
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible from
our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie 192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul

Back to top
Paul MacFarlane
Guest
Posted: Wed Dec 15, 2004 1:23 am    Post subject: Re: WebServer behind firewall Reply with quote
Because we will be needing it inside soon.

We've KISS it a long time and are looking like relics..<g>

More client interaction is in development.


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OwpjMo$3EHA.2316@TK2MSFTNGP15.phx.gbl...
Quote:
You know, it all really depends on the value of the webserver, the
volume of traffic, "visibility" of the website (i.e. attractiveness of
it as a target), etc..
The first thing I noticed is that, as you now have this external at
the ISP, you obviously have no need for it to be internal - it is not
speaking with anything inside now. So, using KISS principle, if
you do not need it inside why put it there and so invite inside the
traffic and any potential bad things that might happen if that box
were compromised ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible from
our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie
192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver
and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul



Back to top
Roger Abell
Guest
Posted: Wed Dec 15, 2004 8:51 am    Post subject: Re: WebServer behind firewall Reply with quote
Good you are looking ahead. In that case, I am much like
the others that replied. In the DMZ would be the place,
tcp 80/443 defined in from the world, and only what is
necessary defined from it to other servers for middleware,
backup, etc..

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OEBHyJh4EHA.1392@tk2msftngp13.phx.gbl...
Quote:
Because we will be needing it inside soon.

We've KISS it a long time and are looking like relics..<g

More client interaction is in development.


"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:OwpjMo$3EHA.2316@TK2MSFTNGP15.phx.gbl...
You know, it all really depends on the value of the webserver, the
volume of traffic, "visibility" of the website (i.e. attractiveness of
it as a target), etc..
The first thing I noticed is that, as you now have this external at
the ISP, you obviously have no need for it to be internal - it is not
speaking with anything inside now. So, using KISS principle, if
you do not need it inside why put it there and so invite inside the
traffic and any potential bad things that might happen if that box
were compromised ?

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
I'm trying to plan for bringing our webserver in-house and had a few
questions about my plan. The idea is to make the server accessible
from
our
internal network but prevent and secure our network from the outside.

We currently have a firewall (MFW) and internal network 192.168.10.*.
I would forward port 80 through to this webserver.

- Would using a different subnet for the webserver help? (ie
192.168.1.*)
- Would I want to use a second firewall (SFW) (external IP)?
- Would I want to put an internal firewall (IFW) between the webserver
and
our network?

Any suggestions or pointer appreciated....

Thanks,
Paul





Back to top
 
Post new topic   Reply to topic    Windows Server Forum Index -> Security All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




New Topics Powered by phpBB