Re: Securing public IIS server that is part of internal LAN

From: Jeff Cochran (jcochran)
Date: 06/23/02


From: jcochran at naplesgov dot com (Jeff Cochran)
Date: Sun, 23 Jun 2002 12:47:04 GMT


> I have a 4 machine home LAN using DSL with a static IP. I would like
>to use one of the four servers as a webserver using IIS (for ASP). My
>concern in doing this is the the machine I want to use as a web server
>is also part of my private LAN (Workgroup mode). How can I go about
>securing my LAN while allowing outside access to the web server?

By using a firewall that provides a DMZ capability, and configuring
access rules that prevent access from the Internet to your LAN whiole
allowing only web access from Internet to DMZ.

> I have come across suggestions that describe using the MS Netbui
>protocol to bind file and print sharing for the internal network and not
>TCP/IP.

That works as long as your web server never gets compromised, NetBEUI
won't route so nobody can get to it across your router.

>I have an SMC NAT firewall protecting my LAN so I can control
>what ports are opened. I was intending on using just port 80 via the
>virtual server capability of the SMC.

This will also work. Make sure your security is tight on the web
server, use all the tools available at
http://www.microsoft.com/security/

> Am I on the right track here or should I try something else? Thanks
>for any suggestions!

Several right tracks. Each presents specific problems to be overcome,
but all *can* work.

Jeff