Re: Web Hosting Firewall Setup
From: Ida (nospam_at_rogers.com)
Date: 06/02/03
- Next message: Maxime Ducharme: "Re: 'destination unreachable' packets from LAN to external DNS - why?"
- Previous message: Kenneth Porter: "Router with outbound access control"
- In reply to: Jim Mc: "Web Hosting Firewall Setup"
- Next in thread: Ric Griffy: "Re: Web Hosting Firewall Setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 02 Jun 2003 20:25:34 GMT
Hi Jim,
Here is one network architecture which works for you:
1. Firewall has 3 NICs: one with a private IP address for your private
internal network, one with a private IP address for DMZ, and one connecting
to Internet with several public IP addresses;
2. DB & B/U servers are in DMZ. Because obly http traffic from Internet is
allowed to pass through the firewall, DB & B/U servers are safe.
Set up rules for web servers so that only http traffic can go to DMZ:
From Internet --> public-IP1, 80/tcp, plugto www-server1
From Internet --> public-IP2, 80/tcp, plugto www-server2
... ...
From Internet --> public-IPn, 80/tcp, plugto www-servern
There is one of the most secure firewall called ITShield firewall
(http://www.itshield.com). Not only can it handle the high volume traffic in
the application gateway level, but also only allow the well-formatted http
data pass through the firewall. There are more wonderful features built in
ITShield firewall. Go to http://www.itshield.com for details.
Regards,
Ida
"Jim Mc" <jim.mc@zolx.com> wrote in message
news:922ndv8rv1shethc4o7lti0hipf2cb4bcp@4ax.com...
> I've got a small group of public web, email and dns servers (four
> machines) and I'm looking for the best way to setup a multi-interfaced
> firewall to protect them. There are also two additional machines
> setup on a private network - a database server and a server that
> handles nightly backups.
>
> Each of the four public machines has two NICs. One with a routable IP
> addresses, the other with private, non-routable (RFC1918) IP
> addresses. The database and nightly backup traffic takes place solely
> on the private network. All web sites are very highly database driven
> and moving the database traffic (as well as the backup traffic) off of
> the NIC on the public side removes a lot of congestion from that
> network and makes access to the web sites run much smoother.
>
> I'm trying to decide on the best architecture for a network and
> firewall(s) to protect both the public machines and the private
> machines (especially the database server).
>
> I'm thinking of using a single multi-legged firewall, just for
> managment convenience. Do I need three or four interfaces to do this
> right?
>
> 1) Internet side
> 2) Public network (DMZ)
> 3) Private network
>
> or
>
> 1) Internet side
> 2) Public nework (DMZ)
> 3) Private side of public servers
> 4) Private network, with DB & B/U servers
>
> Seems that with the first configuration (3 interfaces), the DB and B/U
> servers are in essence in the same zone as the DMZ. That is, if a
> machine in the DMZ gets hacked, the DB server is now very vulnerable.
> With four interfaces, I can control exactly what kind of traffic moves
> from the public servers to the private ones over the private network.
>
> Any thoughts on this?
>
> Thanks.
>
- Next message: Maxime Ducharme: "Re: 'destination unreachable' packets from LAN to external DNS - why?"
- Previous message: Kenneth Porter: "Router with outbound access control"
- In reply to: Jim Mc: "Web Hosting Firewall Setup"
- Next in thread: Ric Griffy: "Re: Web Hosting Firewall Setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
