Re: Securing public IIS server that is part of internal LAN

From: Jeff Cochran (jcochran)
Date: 06/23/02

From: jcochran at naplesgov dot com (Jeff Cochran)
Date: Sun, 23 Jun 2002 12:47:04 GMT

> I have a 4 machine home LAN using DSL with a static IP. I would like
>to use one of the four servers as a webserver using IIS (for ASP). My
>concern in doing this is the the machine I want to use as a web server
>is also part of my private LAN (Workgroup mode). How can I go about
>securing my LAN while allowing outside access to the web server?

By using a firewall that provides a DMZ capability, and configuring
access rules that prevent access from the Internet to your LAN whiole
allowing only web access from Internet to DMZ.

> I have come across suggestions that describe using the MS Netbui
>protocol to bind file and print sharing for the internal network and not

That works as long as your web server never gets compromised, NetBEUI
won't route so nobody can get to it across your router.

>I have an SMC NAT firewall protecting my LAN so I can control
>what ports are opened. I was intending on using just port 80 via the
>virtual server capability of the SMC.

This will also work. Make sure your security is tight on the web
server, use all the tools available at

> Am I on the right track here or should I try something else? Thanks
>for any suggestions!

Several right tracks. Each presents specific problems to be overcome,
but all *can* work.