Web Server - To DMZ or not to DMZ?

Web Server - To DMZ or not to DMZ? (Full Version)

All Forums >> [ISA 2006 Firewall] >> DMZ

Message

ldoodle -> Web Server - To DMZ or not to DMZ? (19.Jun.2008 6:40:26 AM)
Hiya, I'm thinking of adding a DMZ to host a Web Server. The addressing will be as follows: LAN: 10.0.0.0/23 WAN: x.x.x.x/29 DMZ: 192.168.0.0/29 Now the Web Server will host our public website as well as our intranet. Both website and intranet will need to be accessible from both sides of the firewall, and I need things like integrated authentication for the intranet when accessing from a LAN client. What is the best way to tackle this. Should I indeed put the Web Server in a DMZ, or host it on the LAN and allow external access to it? Thanks

paulo.oliveira -> RE: Web Server - To DMZ or not to DMZ? (19.Jun.2008 11:53:34 AM)
Hi, I strongly advice you to create a perimeter network. This way you will have one more defense against external attacks. Cause, the internet guys won´t have access to your LAN if something bad happens to your web server.

ldoodle -> RE: Web Server - To DMZ or not to DMZ? (20.Jun.2008 3:35:31 AM)
That is what I plan to do, but will I be able to use integrated authentication from the LAN to the DMZ to specific web sites on the web server, as it won't be connected to the domain? Thanks

Jason Jones -> RE: Web Server - To DMZ or not to DMZ? (20.Jun.2008 3:56:08 AM)
The server in the DMZ will need to be a member of the domain to achieve this. In general, placing domain members in a DMZ is seen as a bad thing to do...however, if we are talking about an ISA DMZ which forces pre-authentication of all connetions by ISA, then we have a DMZ that is far more tusted than most. In this scenario, placing domain members in a "authenticed access DMZ" is seen as an acceptable compomise. By placing the web server in the DMZ, you will not be protecting it any more in terms of Internet attack, however if it is compromised you at least have some form of isolation from the internal network. Using a DMZ introduces a concept of least privilige (which is good) especially if combined with ISA server pre-authentication and other ISA controls like the HTTP filter etc. Cheers JJ

ldoodle -> RE: Web Server - To DMZ or not to DMZ? (20.Jun.2008 10:31:49 AM)
Yeah I thought it would have to be part of the domain for integrated auth. Thing is, as this server will host 2 sites (web and intranet), one will need annonymous access and the other integrated I'm not sure I can get this working both ways, as no annonymous access is allowed to an authenticed access DMZ, or so i've read. Unless ISA can be configured 'both' ways?

paulo.oliveira -> RE: Web Server - To DMZ or not to DMZ? (20.Jun.2008 12:12:05 PM)
Hi, you can create two rules (one for external and one for internal clients) and two web listeners. For the external web listeners you configure to ask authentication and for the internal one configure no authentication. Regards, Paulo Oliveira.

Jason Jones -> RE: Web Server - To DMZ or not to DMZ? (20.Jun.2008 12:47:08 PM)
quote: ORIGINAL: ldoodle Yeah I thought it would have to be part of the domain for integrated auth. Thing is, as this server will host 2 sites (web and intranet), one will need annonymous access and the other integrated I'm not sure I can get this working both ways, as no annonymous access is allowed to an authenticed access DMZ, or so i've read. Unless ISA can be configured 'both' ways? Not the answer you probably want, but you shouldn't really host public and intranets on the same server - just too risky. Because you have anonymous access, I think the DMZ approach is a good idea. I am kinda torn though as a domain member in an anonymous access DMZ is not really a good idea, but I do think you need some form of separation from the internal network. At the end of the day you will have ISA to protect both environments anyhow, so you are already doing something good securitywise. Is there any chance you can have two DMZs and put a server in each, one for public and one for intranet??? [8D][;)] Paulo's split authentication rules approach is also good practice either way... Cheers JJ

ldoodle -> RE: Web Server - To DMZ or not to DMZ? (21.Jun.2008 2:38:29 PM)
quote: ORIGINAL: Jason Jones Not the answer you probably want, but you shouldn't really host public and intranets on the same server - just too risky. Totally understand this, and would 9 times out of 10 adhere to this rule. However I need to justify the expenditure of additional hardware, which normally isn't a problem, but i've only been at this company for 4 months and no kidding already spent over £50k (which is almost 50% of annual IT budget!), so don't want to go overboard. Also as i'm using existing hardware, rack space is at a premium so I would plan to replace the current 5U servers with 1 or 2U variations next year. quote: ORIGINAL: Jason Jones Is there any chance you can have two DMZs and put a server in each, one for public and one for intranet??? [8D][;)] This was my original thinking for a long term basis, but as per comment above not for immediate setup. quote: ORIGINAL: Jason Jones Paulo's split authentication rules approach is also good practice either way... Maybe this is the way forward temporarily, or I simply inform them that integrated isn't possible. I could use ISA's built-in forms based authentication to avoid the fact that I absolutely hate the normal username/password dialog box! Thanks for all the replies.

ldoodle -> RE: Web Server - To DMZ or not to DMZ? (23.Jun.2008 4:32:00 AM)
Oh one last thing - my setup is currently 'Edge Firewall'. If I change to 3-leg Perimeter, will this cause any other settings within the array to fall-over? I don't expect it will, but it's better to be safe than sorry! Thanks

paulo.oliveira -> RE: Web Server - To DMZ or not to DMZ? (23.Jun.2008 7:41:57 AM)
Hi, basicly ISA will change the network relationship and add a new network (perimeter). The best way to you check if it will impact your existing configuration is apply the network template and do NOT apply it in ISA configuration storage until you sure it will work fine! [;)] PS: You pobrably already know that, but just to remind you, backup your configuration first. [:)] Regards, Paulo Oliveira.

Page: [1]