Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Web Server DMZ access to LAN

Status
Not open for further replies.
surzycki

surzycki

IS-IT--Management
Feb 9, 2002
62
FR
Hello all,

I am not sure if I am too off topic here but, I have a web server that is found in the DMZ and is in its own workgroup Web Production. So, should I be able to see this workgroup from inside the LAN? If I can, does this pose any security risk??? I have a systems admin that insists that I can't have acces via the lan to the web prod server, unfortunately this guy has been way off on several other things so, I don't have all that much confidence in him.. Is there anyone out there that can verify or contradict what this guy is telling me.


Thanks for any info

Stefan

 
Sort by date Sort by votes
> So, should I be able to see this workgroup from inside >the LAN?

A very big NO

> I have a systems admin that insists that I can't have
> acces via the lan

He is correct, the DMZ should have very, very little communication with the LAN. (ie. only port 80 or none)

>Is there anyone out there that can verify or contradict >what this guy is telling me

Hes correct on this one, if a hacker takes over your IIS server (which isn't overly hard) he could then have complete access to your whole network. The whole point of a DMZ is to stop this occuring.
 
Upvote 0 Downvote
Thanks for the response... How important is the DMZ say if you have a proxy server to connect to the internet. Does the DMZ become obsolete or would it be just another line of defnese. I have seen described in books layouts such as:

INTERNET
|
|

PROXY SERVER
|
|

ROUTER
/ | / |
HUB HUB HUB
/ / \ / / \ SUBNET a / \ SUBNET b
/ FTP SERVER WEB SERVER


In this config where is the DMZ?? Is this configuration good for books but in practice worth nothing? I am by no means a network engineer but, I am quite curious...

Thanks

Stefan





 
Upvote 0 Downvote
> In this config where is the DMZ??

The DMZ would be at the router connecting to the FTP & webserver. The router would be configured not to allow packets from the other subnets to cross into/out of this area.
NONTRUSTED
|
|
ROUTER
/ | / | TRUSTED DMZ TRUSTED

>How important is the DMZ say if you have a proxy server to >connect to the internet

Proxy servers can be used to add some protection - it entirely depends on how its setup. For example microsoft used a chain of 3rd party proxy servers to protect their servers when blaster was attacking.
A DMZ would still give more security than proxy servers.

>Is this configuration good for books but in practice worth >nothing? I am by no means a network engineer but, I am >quite curious...

A proxy server has to communicate to the trusted clients to work (assuming its caching inbound & outbound) - so thats leaves a open hole for hacking. If somebody hacks the proxy then the network is vulunerable.

If the ROUTER has a good firewall on it which is stateful the security is pretty good. If you then firewall the proxy server and make sure its well setup the security is very good.
A hacker could still manage to get into the proxy server, and probably could get into the webserver & ftpsite. Still the network would be safe. (read: safer :))
 
Upvote 0 Downvote
How would a SQL server fit into this??? i.e a SQL Server inside the LAN and webserver in DMZ. The router on the DMZ would have to be configured to allow SQL COnnections through (port ??). Is this correct?

Thanks for you help

Stefan
 
Upvote 0 Downvote
With SQL there are a few schools of thought... there is no perfect solution...

a) Stick in in the DMZ - if you get hacked your SQL data could be compromised. Issues with viewing/updating the data internally.

b) Stick in the LAN and create pinholes in the firewall. This allows easy internal access to the SQL server, network is under threat if server is compromised.

c) Two DMZs, one with webserver, the other with SQL server. Hacking into the SQL server is much harder as communication has to go through the firewall, hacker won't be able to penetrate into the network. Again problems with updating SQL server internally - and a little more complex to setup.

d) Two SQL servers, one in DMZ, one in LAN. The DMZ SQL server has a minimal data set,the LAN server has the full data set. Complex replication issues - securing the network and making replication is tough. Can a SQL server have a minimal data set that is safe to be comprised?


>The router on the DMZ would have to be configured to allow >SQL COnnections through (port ??). Is this correct?

So with option B yes - port 1443.
 
Upvote 0 Downvote
Cheers for the info, I have a much better understanding.

Thanks again

Stefan
 
Upvote 0 Downvote
Hello,

I have another quick question about DMZ's and LANs. As far as the machine that is on the DMZ, can it be, or should it be, under the NT domain as well???
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
259
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
210
MaioMaio
MaioMaio
DeepuM
  • Locked
  • Question
Web Response returned Web Exception : The underlying connection was closed error | Simphony & QS
Replies
0
Views
167
DeepuM
DeepuM
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
307
suncit
suncit
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
123
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top