Help required in n/w architecture

[anbusmiles]

Hi,

I want to set up a web server (exposed to the internet) for a small company to host the company website. The web server should also be able to connect to the database available in the LAN network to display some data. The design should consider SECURITY with high priority.

I have suggested for a Windows server with two NIC cards which will host the web site. One of it will be connected to the internet and the other to the LAN network. By this an intruder will not be able to access the database in the LAN network nor get into the LAN network as the routing will be disabled between the two network cards.
Do you foresee any problem in this architecture? Is there any other better way to implement the same?

Your suggestions will be highly appreciated.

Thanks for your time.
Smiles

 

[Andyleates]

Where is the firewall in your design? Or it there not one at present?

Andy Leates MCSE CCNA MCP+I

 

[pansophic]

You will probably receive a better response putting this architecture in the General Security discussion on this forum, but having a computer on the Internet with a Web server, that has unrestricted access to the local network is asking for trouble.

If you consider security even a mild priority, you will put a firewall in place and have the web server in the DMZ, with only ports for the database open into the local network.

Your current architecture allows anyone who breaks into the webserver (which is unfortunately common for all web servers) unlimited (and unmonitored) access to the internal network.


pansophic

 

[lullysing]

You should seriously consider the DMZ setup.Say with a firewalling boxen with 2 interface cards.



(the net) -----(firewallbox)-----{lan}
|
|
|
{DMZ zone}

And if you are going to go with windows, please, PLEASE install the MINIMUM on that boxen, close EVERY SERVICE YOU DON'T NEED and keep the thing patched faster than some of my customers (otherwise they get calls from the nice abusedesk operator that i am about why their servers are doing portscans in australia...lol).

_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[anbusmiles]

(the net) -----(Win2k Server with min Services )-----{lan}
(and Apps + Software firewall )
(+ IIS Web Server )
|
|
|
{DMZ zone}

Is it very much necessary to go in for a hardware firewall apart from the software firewall?

Is there any way a hacker can break into the LAN network as the routing will be disabled within the Win2K server?

Smiles

 

[pansophic]

Routing doesn't have to be enabled to make it unsafe. If I compromise the the Win2k server, I will use it to compromise the internal machines. I can even remote desktop back to the attacking machine. Or turn on routing for that matter. Once the server is compromised, the entire installation is compromised.

It is only very much necessary to use a hardware (actually just separate) firewall if you are interested in securing the configuration. Otherwise, feel free to run a software firewall on the server.

(the net) ----- (Firewall) ----- (LAN)
|
|
|
Win2k server

In your drawing, what did you intend to put in the DMZ? A DMZ is for Internet facing machines that you wish to protect, but are required to offer services from, e.g., web server, mail server, ftp server, etc. You expect that your DMZ machines will become compromised at some point, and you limit their interaction with the protected network (LAN).


pansophic