Re: Web portal security
- From: Leythos <void@xxxxxxxxxxx>
- Date: Wed, 25 Jul 2007 22:37:10 -0400
In article <32E358DC-3F65-4DEA-BD1A-616863866109@xxxxxxxxxxxxx>,
kazi@xxxxxxxxxxxxxxxxxxxxxxxxx says...
We r currently running SBS2003 with sonicwall TZ170 firewall. We are planning
to host our customer web portal which will have important client data. Here
is how I'm planning to implement it:
The web portal application based on SQL database will be installed on
win2003 standard server with IIS, SSL enabled and will be placed on
firewall's DMZ port. Now just to mention that the portal website is not for
open public but only for the clients/users with valid userid and pswd of
portal application. So I will be fwding port 443 in firewall to my DMZ port.
Well, assuming you are going to use teh SQL database from SBS, you can
stop right there - SBS SQL is not licensed for public access and is not
permitted access by anyone that doesn't have an SBS CAL - according to
MS documents as of two months ago.
Based on above setup, I've following concerns & scenerios:
1. Should I assign public ip to my portal server or assign private ip of
diff: subnet than my LAN and map one to one from firewall to dmz. Due to
sensitive nature of data on portal server, I prefer max: security on it.
Your DMZ, if it's a real network, should be a completely different
subnet than your LAN network:
LAN: 192.168.8.10/24
DMZ: 192.168.9.10/24
2.Some usres from LAN must access portal server in order upload customer
files & admin user from LAN must connect for portal app: managment. If I
enable communication b/w LAN and DMZ & make this portal server a member of my
SBS server domain in LAN, does it mean the DMZ purpose is lost
They can access it the same way your customers do, but instead of using
the PUBLIC IP, you setup a DNS record for your website in SBS DNS
matching the same public name and then create a firewall rule for
TCP:443 LAN-ANY>DMZ-WEB IP
**** OR*****
3.What if I make my portal server a member server in SBS domain giving
private IP of same LAN subnet, forget about DMZ, coz it's not a general
public website and only auth: users can access it and fwd required ports
fwded from firewall to LAN on portal private server IP. But I guess this will
create conflict with my SBS OWA for port 443 unless I change 'em.
NEVER JOIN A DMZ COMPUTER TO THE LAN DOMAIN, NEVER, DON'T DO IT. For
active directory information to pass between the two servers you would
need LARGE GAPING SECURITY HOLES that would defeat the purpose of having
a DMZ network.
Any ideas/suggestions are welcome to make our portal up to security standards.
If you want real security you better consider a LOT more things and hire
a professional with a proven record.
You should block all foreign subnets that you are sure your customers
won't come from - like blocking all of China and Russia if you don't do
business there.
You need to block (temp) any IP that connects via certain PORTS that are
know to be compromised ports, or based on certain types of activity, you
need to secure the web server.
You need your app to use SQL Authentication and only allow TCP1433 from
DMZ-IP of Web server > LAN:SBS IP.
But, all this is mute as you can't use the SQL on SBS for public access,
all users exposed must have a SBS CAL according to MS.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Prev by Date: Re: Outlook nickname problem
- Next by Date: Re: How to increase mailbox size i Exchange part of SBS 2003
- Previous by thread: Re: Web portal security
- Next by thread: pop3 server password
- Index(es):
Relevant Pages
|
