Re: WebServer behind firewall

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 12/10/04 

Date: Fri, 10 Dec 2004 13:21:50 -0600

There are a number of ways you can do this. Using two firewalls would be a
good bet. One in front of the web server and one between the lan and the web
server. The one in front of the web server could be configured to allow only
ports 80/443 to the web server and the one between the lan and the web
server would be configured to allow only traffic to and from the lan and the
web server, This way if the web server is compromised, the attacker will
have limited access to your internal network. You could use ipsec to protect
traffic between the web server and the internal lan to encrypt the traffic
and make the firewall easier to configure. Ipsec can use kerberos [within a
domain], certificate, or preshared key machine authentication. You can not
however use ipsec negotiation between a domain controller and a domain
computer. The link below goes into much more detail on possible firewall
configurations. I also strongly urge you to read the Windows 2003 Sever
Security Guide on how to harder servers and it also includes tips on how to
use ipsec "filtering" as another layer of security. --- Steve

http://www.microsoft.com/technet/Security/topics/network/firewall.mspx

"Paul MacFarlane" <pmacfarlane@mullenlaw.com> wrote in message
news:OAupG5s3EHA.3616@TK2MSFTNGP11.phx.gbl...
> I'm trying to plan for bringing our webserver in-house and had a few
> questions about my plan. The idea is to make the server accessible from
> our
> internal network but prevent and secure our network from the outside.
>
> We currently have a firewall (MFW) and internal network 192.168.10.*.
> I would forward port 80 through to this webserver.
>
> - Would using a different subnet for the webserver help? (ie 192.168.1.*)
> - Would I want to use a second firewall (SFW) (external IP)?
> - Would I want to put an internal firewall (IFW) between the webserver and
> our network?
>
> Any suggestions or pointer appreciated....
>
> Thanks,
> Paul
>
>

Relevant Pages

  • Re: disconnect a hacker
    ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
    (alt.computer.security)
  • Re: Firewall on server itself
    ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: [fw-wiz] Using SSL accelerators in firewalls
    ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
    (Firewall-Wizards)
  • Re: security advice (possible hacker activity?)
    ... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
    (microsoft.public.inetserver.iis.security)
  • Re: security advice (possible hacker activity?)
    ... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
    (microsoft.public.win2000.security)