Re: Adding a web server to my network

Robert M. Riches Jr. wrote:
On 2007-06-08, Matthew256 <PRESENT321@xxxxxxxxx> wrote:
Hello,

I have a LAN behind a hardware firewall connecting to the web by DSL.
I am thinking of adding a Linux box to handle my web site.
I would like to keep my LAN safe from hackers, and my web server safe
too.
I would prefer to have the web server have file sharing enabled to my
LAN.
Any ideas the best way to set this up?

Is your DSL service residential or business? Most
residential DSL services specifically forbid running a
server over the DSL line. There might be risk of having
your service shut down.

It seems one of your main concerns is security of your LAN.
A common configuration mentioned in security courses is to
have two firewalls dividing things up into three regions.
The first region is the external internet. The second
region is called the DMZ, which is where you put your web
server. The third region is your LAN. The first firewall
is between the external internet and the DMZ, and it
protects your web server and your LAN from the bad guys
outside. The second firewall is between the DMZ and your
LAN, and it protects your LAN from the bad guys on the
outside and from the ones that might someday crack your web
server.

Some low-cost residential routers have a setting the _call_
DMZ mode, but that just puts one of the LAN ports on the WAN
side of the firewall, with no protection between the
external internet and the DMZ. There was a thread a while
ago that discussed whether that constituted a true DMZ. As
I recall, the consensus (including, IIRC, Wikipedia) was
that this was _not_ a true DMZ situation--that a true DMZ
required two layers of firewall protection.

HTH

True DMZ or not, it works.

As long as you keep your web server tight it has no real security implications beyond a true DMZ.

The rationale behind the DMZ was that if your server got compromised, your internal network wouldn't be.

However with a decent firewall, the first won't happen
.

Relevant Pages

  • Re: Joining web server to SBS domain - any pre-cautions?
    ... I'm trying to plan for joining our web server (Server 2003 Std. ... You should have a REAL FIREWALL APPLIANCE, ... A single public IP can provide HTTP access for the DMZ Network and also ... If you firewall has a DMZ and it's in the same Subnet as the LAN, ...
    (microsoft.public.windows.server.sbs)
  • Re: OWA_Frontend_Firewall
    ... >>the OWA server in the DMZ to the exchange server and DC's on the LAN ... >ISA is a workgroup box not joined to the domain) and that way you only ... >GCs between a DMZ and a firewall. ...
    (microsoft.public.exchange.admin)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Whats wrong with this topology?
    ... it's better to have the DMZ ... complicates all the filtering rules on your firewall... ... Better is to have the DMZ physically apart from your LAN (with the firewall ... region system (hostile internet vs. not very secure internal lan) because ...
    (Security-Basics)