Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Placement of webserver (Internal or DMZ)
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Placement of webserver (Internal or DMZ) - 1.Jul.2007 12:25:52 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Where should I place Webserver on DMZ or Internal network. My ISA Server is a domain member.
Web server is hosting around 10 websites accessed by internal users, few users from partner company and external users). All the websites hosted on this webserver needs to talk with SQL Server which is part of internal network. what's the secure option as far as placement of the webserver?
I did try to put the webserver on DMZ ( not a domain member) and created a rule to allow SQL from DMZ to internal but I found few sites working fine and few not working. For few websites I get SQL connection error and on few of them I have image issues. Image is not being displayed for websites.
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 4.Jul.2007 11:58:01 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
If it works for some sites and not others, it could be a SQL configuration problem.
You'd have to look at the ISA firewall log files and maybe packet traces to figure it out.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 5.Jul.2007 9:41:18 AM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
what would you recommned as far as placement of webserver goes?
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 6.Jul.2007 2:52:10 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
My opinion is that any public access (Internet facing) server should be in a DMZ segment separated from the production network. This might be an authenticated access DMZ or an anonymous access DMZ, but both DMZs need to be separated from the "internal" network.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 6.Jul.2007 4:46:50 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
I have web server with application which needs to talk with sql server for data. it's authentication to sql server database (not AD authentication). Should I make this server domain member and put it on DMZ or leave it on DMZ but not join domain?
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 8.Jul.2007 12:17:03 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
If the backend SQL server isn't using AD authentication then there's no reason for it to join the domain, is there? In that case both the Web server and the SQL server end up being workgroup members.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 8.Jul.2007 1:44:17 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Thanks for your input.
SQL Server is a domain member. I also talked with mircosoft yesterday and they told me that placing the server in the internal network is as secure as placing the server in DMZ, as it still requires to talk wtih SQL in internal network , for which ports needs to be open from dmz <> internal.
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 9.Jul.2007 10:24:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I wholeheartedly disagree with what MS told you, as I think their motivation was an ease of use recommendation (easier for them too) than a security minded recommendation.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 9.Jul.2007 11:42:57 AM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
I agree with what you say but, SQL Server is a domain member and I cannot put sql server in work group in DMZ.
Please check this and let me know. This is from Steefan,
Hi bhavin78,
OK, let's give a couple of examples...
If you can pre-authenticate at and do content checking on the ISA server for the web published resources (i.e. OWA, Outlook Anywhere, Sharepoint, etc...), I personally don't see any benefit in placing those boxes on a perimeter network. You won't gain any security by doing that.
On the other hand, if you have a crappy web application or a web application that doen't need to talk to internal resources, you might isolate them on a perimeter network. However, if you need to manage those boxes too, you could place them on the internal network and try to isolate them instead with server and domain isolation techniques (http://www.microsoft.com/technet/itsolutions/network/ipsec/default.mspx).
So, there is no single right answer to your question. It is depending on your risk appetite. In my opinion the key points are authentication, content checking and isolation in one or another form but make sure the solution is as simple as possible and manageable. Complexity is the enemy of any good security solution.
HTH,
Stefaan
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 11.Jul.2007 10:26:35 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Yes, but I also know that Stefaan is quite wrong in his assessment. The problem is that he doesn't really understand security zoning and the rationale for security zoning. Of course, if security isn't an issue, or it's just something that "other" people do (like me and other network security professionals who really understand the issue), then you wouldn't use security zoning. Instead, you'd find someone who agrees with you, you tell yourself it's going to be OK, and then you cross you fingers and hope that nothing bad happens.
I see the head in the sand attitutde all the time.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Placement of webserver (Internal or DMZ) - 11.Jul.2007 1:15:24 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Thanks for you input. I agree on what you said. I will make sure my Webserver is on DMZ but it still needs to access data from SQL Server and I have to open port 1443 for SQL from DMZ to Internal network. I cannot move my sql server to DMZ. My webserver is a not a domain member.
This is ok or No?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
