Welcome to ISAserver.org

Web Server - To DMZ or not to DMZ?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> DMZ >> Web Server - To DMZ or not to DMZ?

Page: [1]

Message

<< Older Topic Newer Topic >>

Web Server - To DMZ or not to DMZ? - 19.Jun.2008 6:40:26 AM

ldoodle

Posts: 54
Joined: 21.Mar.2005
From: England
Status: offline

Hiya,

I'm thinking of adding a DMZ to host a Web Server. The addressing will be as follows:

LAN: 10.0.0.0/23
WAN: x.x.x.x/29
DMZ: 192.168.0.0/29

Now the Web Server will host our public website as well as our intranet. Both website and intranet will need to be accessible from both sides of the firewall, and I need things like integrated authentication for the intranet when accessing from a LAN client.

What is the best way to tackle this. Should I indeed put the Web Server in a DMZ, or host it on the LAN and allow external access to it?

Thanks

< Message edited by ldoodle -- 19.Jun.2008 6:52:52 AM >

Post #: 1

Featured Links*

RE: Web Server - To DMZ or not to DMZ? - 19.Jun.2008 11:53:34 AM

paulo.oliveira

Posts: 563
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi,

I strongly advice you to create a perimeter network. This way you will have one more defense against external attacks. Cause, the internet guys won�t have access to your LAN if something bad happens to your web server.

(in reply to ldoodle)

Post #: 2

RE: Web Server - To DMZ or not to DMZ? - 20.Jun.2008 3:35:31 AM

ldoodle

Posts: 54
Joined: 21.Mar.2005
From: England
Status: offline

That is what I plan to do, but will I be able to use integrated authentication from the LAN to the DMZ to specific web sites on the web server, as it won't be connected to the domain?

Thanks

< Message edited by ldoodle -- 20.Jun.2008 3:49:41 AM >

(in reply to paulo.oliveira)

Post #: 3

RE: Web Server - To DMZ or not to DMZ? - 20.Jun.2008 3:56:08 AM

Jason Jones

Posts: 1782
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

The server in the DMZ will need to be a member of the domain to achieve this.

In general, placing domain members in a DMZ is seen as a bad thing to do...however, if we are talking about an ISA DMZ which forces pre-authentication of all connetions by ISA, then we have a DMZ that is far more tusted than most. In this scenario, placing domain members in a "authenticed access DMZ" is seen as an acceptable compomise.

By placing the web server in the DMZ, you will not be protecting it any more in terms of Internet attack, however if it is compromised you at least have some form of isolation from the internal network.

Using a DMZ introduces a concept of least privilige (which is good) especially if combined with ISA server pre-authentication and other ISA controls like the HTTP filter etc.

Cheers

JJ

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ldoodle)

Post #: 4

RE: Web Server - To DMZ or not to DMZ? - 20.Jun.2008 10:31:49 AM

ldoodle

Posts: 54
Joined: 21.Mar.2005
From: England
Status: offline

Yeah I thought it would have to be part of the domain for integrated auth.

Thing is, as this server will host 2 sites (web and intranet), one will need annonymous access and the other integrated I'm not sure I can get this working both ways, as no annonymous access is allowed to an authenticed access DMZ, or so i've read.

Unless ISA can be configured 'both' ways?

(in reply to Jason Jones)

Post #: 5

RE: Web Server - To DMZ or not to DMZ? - 20.Jun.2008 12:12:05 PM

paulo.oliveira

Posts: 563
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi,

you can create two rules (one for external and one for internal clients) and two web listeners. For the external web listeners you configure to ask authentication and for the internal one configure no authentication.

Regards,
Paulo Oliveira.

(in reply to ldoodle)

Post #: 6

RE: Web Server - To DMZ or not to DMZ? - 20.Jun.2008 12:47:08 PM

Jason Jones

Posts: 1782
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

quote:

ORIGINAL: ldoodle

Yeah I thought it would have to be part of the domain for integrated auth.

Thing is, as this server will host 2 sites (web and intranet), one will need annonymous access and the other integrated I'm not sure I can get this working both ways, as no annonymous access is allowed to an authenticed access DMZ, or so i've read.

Unless ISA can be configured 'both' ways?

Not the answer you probably want, but you shouldn't really host public and intranets on the same server - just too risky.

Because you have anonymous access, I think the DMZ approach is a good idea. I am kinda torn though as a domain member in an anonymous access DMZ is not really a good idea, but I do think you need some form of separation from the internal network. At the end of the day you will have ISA to protect both environments anyhow, so you are already doing something good securitywise.

Is there any chance you can have two DMZs and put a server in each, one for public and one for intranet???

Paulo's split authentication rules approach is also good practice either way...

Cheers

JJ

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ldoodle)

Post #: 7

RE: Web Server - To DMZ or not to DMZ? - 21.Jun.2008 2:38:29 PM

ldoodle

Posts: 54
Joined: 21.Mar.2005
From: England
Status: offline

quote:

ORIGINAL: Jason Jones
Not the answer you probably want, but you shouldn't really host public and intranets on the same server - just too risky.

Totally understand this, and would 9 times out of 10 adhere to this rule. However I need to justify the expenditure of additional hardware, which normally isn't a problem, but i've only been at this company for 4 months and no kidding already spent over �50k (which is almost 50% of annual IT budget!), so don't want to go overboard. Also as i'm using existing hardware, rack space is at a premium so I would plan to replace the current 5U servers with 1 or 2U variations next year.

quote:

ORIGINAL: Jason Jones
Is there any chance you can have two DMZs and put a server in each, one for public and one for intranet???

This was my original thinking for a long term basis, but as per comment above not for immediate setup.

quote:

ORIGINAL: Jason Jones
Paulo's split authentication rules approach is also good practice either way...

Maybe this is the way forward temporarily, or I simply inform them that integrated isn't possible. I could use ISA's built-in forms based authentication to avoid the fact that I absolutely hate the normal username/password dialog box!

Thanks for all the replies.

< Message edited by ldoodle -- 21.Jun.2008 2:40:49 PM >

(in reply to Jason Jones)

Post #: 8

RE: Web Server - To DMZ or not to DMZ? - 23.Jun.2008 4:32:00 AM

ldoodle

Posts: 54
Joined: 21.Mar.2005
From: England
Status: offline

Oh one last thing - my setup is currently 'Edge Firewall'. If I change to 3-leg Perimeter, will this cause any other settings within the array to fall-over?

I don't expect it will, but it's better to be safe than sorry!

Thanks

(in reply to ldoodle)

Post #: 9

RE: Web Server - To DMZ or not to DMZ? - 23.Jun.2008 7:41:57 AM

paulo.oliveira

Posts: 563
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi,

basicly ISA will change the network relationship and add a new network (perimeter). The best way to you check if it will impact your existing configuration is apply the network template and do NOT apply it in ISA configuration storage until you sure it will work fine!

PS: You pobrably already know that, but just to remind you, backup your configuration first.