Question about putting web servers in a DMZ 3

[scottew]

I have 2 web servers which are currently behind my firewall (Watchguard XTM-505). All websites on these servers have SSL Certs and our users authenticate to applications with their domain credentials. All applications use a SQL database on a separate server. I have Port 443 forwarded to the web servers.

My boss wants me to put any public facing web servers into a DMZ. From what I understand, if I do so, I would then have to open some ports on the firewall for those users to authenticate to one of our DC's. Therefore, I believe, I have a less secure enviroment.

Any comments would be appreciated.

I just want to make sure I'm missing the boat.

Thanks,
Scott

 

[scottew]

I should have said "NOT" missing the boat.

 

[NortonES2]

Build a new DC in a new DMZ allow AD traffic between this and your LAN, then allow the webserver DMZ to access your new DC DMZ for autentication \ DNS etc.

-------------------------------

If it doesn't leak oil it must be empty!!

 

[itsp1965]

Although that would work, I am not keen on deploying domain controllers on the DMZ. I would recommend the following if possible;

Internet User--->FW--->DMZ Web Server--->FW--->AD + SQL

Your internet user would come in via port 80/443. Your Web Server needs to authenticate with AD, I would separate them by a firewall as well.

 

[kmcferrin]

If you put a DC in the DMZ, then you still have to open ports for AD replication and authentication between the DMZ and internal DCs. If you do choose to go that way though, I would make the DMZ DC a read-only DC.

The issue that your boss has identified is that if someone is able to compromise your web server via a security hole, they would essentially have the ability to see and potentially access your entire internal network via any protocol. Security vulnerabilities in web server software are extremely common.

However, by moving the web server to the DMZ then you get an added layer of security. If the web server is compromised then they would only be able to communicate with other DMZ servers (if your DMZ allows that) rather than your entire internal network. If you have to open a couple of ports for AD authentication, then you you do have a potential second method of infiltration. However, they would have to compromise the web server first, then they would only be able to attempt to compromise the DC via authentication requests, which is more difficult.

Your boss has the right idea though. Anything that is directly accessible from an external network should be in a DMZ. If the DMZ relies on other internal resources then you have to decide whether you want to move those resources into the DMZ or leave them where they are, but since they are a secondary resources and are not directly accessed via the web they are more secure than having a web server on your internal network that is directly accessible.

Also, be sure to have your firewall software on your internal systems enabled. A lot of people think that if they have a firewall protecting their Internet connection that they don't need software firewalls on their PCs and servers, and that is not the case. You need defense in depth.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator

 

[scottew]

Thank you for all your comments. You got me on the right track now.

Thanks,
Scott