Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security on a web server hosted offsite

Status
Not open for further replies.
mikestl

mikestl

Technical User
Oct 17, 2003
32
US
I have been working on evaluating our current network security situation at our company. Part of this is in response to some problems we have been having lately. At the moment we have a DSL connection at the office that is protected by a firewall appliance made by watchguard. This connection is used for our office's internet connectivity, but also for an smtp server hosted within the firewall on the internal network. We rent rack space at a web hosting company and have a server there that runs IIS and as well as SQL server in the same box. We also have an identical firewall appliance there protecting the server. There is also a constant VPN connection between the two firewall appliances used to pull customer data from the website to the office, and for administering the website.

My primary concern is the VPN connection between the office and the web hosting company. It would seem that in having these tied together like this we are essentially putting the web server inside the company's internal network.

My other concern is with SQL server being on the same box with IIS. Shouldn't SQL be hosted behind another firewall, or on the internal network?

I am concerned with having our internal exchange server recieving e-mail directly from the internet. Would it be a good idea to set up an SMTP virtual server, possibly on the web server?

My understanding is that there should the setup should go:

Internet -Firewall- DMZ -Firewall- Internal network

Then the web server should be on the DMZ, along with the SMTP virtual server, and possibly the SQL server. I guess where my confusion really comes in is how to I do that when the web server is in a different location. It would seem to me like I am going to need to buy an additional firewall here and set up the VPN connection on the first firewall in the office before the DMZ, to kind of link the VPN into the DMZ. anyone have any ideas on this? Thanks.
 
Sort by date Sort by votes
Boy, a lot to tackle in one post.

I don't think that there are any real issues with putting your web server at the end of a VPN tunnel, provided that you are applying ingress and egress rules at each tunnel endpoint. The VPN at the web server should allow no? connections across the tunnel. While the internal network should allow http, and ?? across the tunnel. All other source addresses should be forbidden on both ends. All other endpoints should be forbidden from both ends. This puts your web server on a "virtual" DMZ.

Having the SQL server on the same box shouldn't be a problem, as long as the firewall that is protecting the web server doesn't allow connections from the Internet to the SQL service. Ideally only connections across 127.0.0.1 would be allowed, and you would provide a web-based front-end to that service for your collection of client data. Preferably running on a high port that is only accessible from the VPN tunnel.

I'm assuming that your network looks something like this:

|------Firewall-------Web Server
| |
| |
Internet---| VPN
| |
| |
|------Firewall-------Internal Network

The VPN is running across the Internet, but for all intents and purposes is a separate link between the firewalls. That interface should be capable of having rules applied, just like a physical interface.

But you are correct. Having mail coming directly into your internal network is dangerous. You would be better served by having that mail server sitting in a DMZ, or a proxy mail server sitting in a DMZ, rather than having your internal mail server accessible directly from the Internet. Some firewalls will provide an SMTP proxy right in the firewall, but I don't believe that the watchguard is one of them.

The "typical" model for a firewall is:

Internet---Firewall---Internal Network
|
|
DMZ

You apply rules for:
- Internet to DMZ (only services required, http, smtp)
- Internet to Internal Network (generally drop all)
- DMZ to Internet (generally very little if any)
- DMZ to Internal Network (generally very little, perhaps SQL)
- Interal Network to DMZ (maintenance and testing services)
- Internal Network to Internet (varies greatly depending on client, but at least http and smtp. Some allow any internal IP to set up any service)

Of course no one is a "typical" user.


pansophic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
283
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
283
Russtoleum
Russtoleum
abhi21
  • Locked
  • Question
Interesting article on Cyber Security
Replies
0
Views
206
abhi21
abhi21
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
246
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top