Web Servers and Firewall Zones

Posted on

Web and FTP Servers

Every network that has a web affiliation is in danger of being compromised. while there ar many steps that you simply will desire secure your computer network, the sole real answer is to shut your computer network to incoming traffic, and prohibit outgoing traffic.

However some services like internet or FTP servers need incoming connections. If you need these services you may have to be compelled to contemplate whether or not it’s essential that these servers ar a part of the computer network, or whether or not they are often placed in an exceedingly physically separate network referred to as a zone (or demilitarised zone if you like its correct name). Ideally all servers within the zone are going to be stand alone servers, with distinctive logons and passwords for every server. If you need a backup server for machines among the zone then you must acquire an infatuated machine and keep the backup answer break away the computer network backup answer.

The zone can return directly off the firewall, which implies that there ar 2 routes in and out of the zone, traffic to and from the web, and traffic to and from the computer network. Traffic between the zone and your computer network would be treated whole severally to traffic between your zone and also the net. Incoming traffic from the web would be routed on to your zone.
Therefore if any hacker wherever to compromise a machine among the zone, then the sole network they might have access to would be the zone. The hacker would have very little or no access to the computer network. it’d even be the case that any infection or alternative security compromise among the computer network wouldn’t be ready to migrate to the zone.

In order for the zone to be effective, you may ought to keep the traffic between the computer network and also the zone to a minimum. within the majority of cases, the sole traffic needed between the computer network and also the zone is FTP. If you are doing not have physical access to the servers, you may additionally would like some style of remote management protocol like terminal services or VNC.

Database servers

If your internet servers need access to a information server, then you may have to be compelled to contemplate wherever to position your information. the foremost secure place to find a information server is to form yet one more physically separate network known as the secure zone, and to position the information server there.
The Secure zone is additionally a physically separate network connected on to the firewall. The Secure zone is by definition the foremost secure place on the network. the sole access to or from the secure zone would be the information affiliation from the zone (and computer network if required).

Exceptions to the rule

The quandary round-faced by network engineers is wherever to place the e-mail server. It needs SMTP affiliation to the web, nonetheless it additionally needs domain access from the computer network. If you wherever to position this server within the zone, the domain traffic would compromise the integrity of the zone, creating it merely associate extension of the computer network. so in our opinion, the sole place you’ll place associate email server is on the computer network and permit SMTP traffic into this server. but we might advocate against permitting any variety of HTTP access into this server. If your users need access to their mail from outside the network, it’d be much more secure to seem at some variety of VPN answer. (with the firewall handling the VPN connections. computer network primarily based VPN servers enable the VPN traffic onto the network before it’s documented, that is rarely a decent issue.)

Leave a Reply

Your email address will not be published. Required fields are marked *