Re: Multi vs Single Homed Web Servers - Security and Performance
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/26/05
- Next message: Wknight: "Re: WSUS Security Nightmare"
- Previous message: diop: "Re: WSUS Security Nightmare"
- In reply to: zippo76: "Multi vs Single Homed Web Servers - Security and Performance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Jul 2005 11:16:17 GMT
On 24 Jul 2005 15:13:56 -0700, "zippo76"
<bgavenda@classifiedventures.com> wrote:
>I have a network architecure/security question on a 30 server
>2K3/IIS6/SQL web site. Our web servers are currently multihomed with
>separate physical cards and 100 or 1GB vlans for internet, sql access,
>and admin/updating. Netbios is turned off on the internet and db
>cards, and the third connection we have to turn on file/print and
>shares for developers updating templates. Our current perimeter
>consists of 1 fw and 1 F5.
>Our networking group has been trying to convince the Windows group to
>move everything to a single GB interface (behind 1 fw, 1 F5, and
>another fw). As an admin of over 10 years, I fear this as i would have
>to use 1 interface for internet (http/https), Data, File Shares,
>connecting to remote shares, browser broadcasts, AD membership (DCs 2
>firewalls away). I'm currently open to new ideas, but 10 years of NT
>experience tells me this is just wrong from a security and from a
>performance aspect.
>If I'm nuts and paranoid, please someone tell me why (please send
>location of docs specific to single homed windows servers. If not,
>please help by directing me to the most conclusive docs on why is this
>wrong. I've gotten many docs on best practices and theories, but
>nothing that ready drives either point home.
Things have improved over the last decade, and a single-homed server
is less of a concern with newer operating systems and fewer open
securtiy issues. However that doesn't make your current setup any
less valid.
>From an admins standpoint, and a network resource standpoint, the
single home servers may make sense. From a security standpoint they
can work, but are probably slightly less secure than your current
setup (though my personal opinion would be that either can be
configured secure enough for your concerns).
Performance is likely a toss-up. It's doubtful the internal traffic
is big enough issue to warrant separate cards.
Now, if you really wanted security you'd dump the NetBIOS and Windows
shares entirely, and use secure FTP to move files to the production
servers. You'd separate the development from the production
environment entirely except for a staging server or servers. The
production systems might be AD for managemanet, but you could drop AD
if you don't need it. At any rate, they would be as isiolated as
possible from the internal systems., even to the point of being
expendable if hacked.
Jeff
- Next message: Wknight: "Re: WSUS Security Nightmare"
- Previous message: diop: "Re: WSUS Security Nightmare"
- In reply to: zippo76: "Multi vs Single Homed Web Servers - Security and Performance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
