Web Server Security
Results 1 to 5 of 5

Thread: Web Server Security

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    18

    Web Server Security

    I am under alot of pressure. I really could use some help. I currently have a webserver that was dropped in my lap. I am not a security guru I am wouldn't even call myself good at security. I used to create websites but do to my new profession I have slowly but sure been falling away until I recently came across a few jobs people have asked me to do for them. I am once again back on the horse and although I used to be a poster on this forum over 3 years ago I came back because I know there is alot of wisdom from the people on this board.

    So here it is. I have a server. This server has a database on it that we use as our in house database. It is a SQL database. This database also has a web application that plugs into it. The web app is what concerns me. I am wondering the most effective way to lock this server down to the outside world but still allow for those inhouse to work freely in the SQL program. This servers web app also needs to be available for those on the outside (our customers and sales employees on the road). As of right now the network guy has recently been MIA no body knows where he went to no one has heard from him no-one for two weeks (no he didn't go on vacation). So now I need to be able to get this thing up and running quick but I do not want to leave us exposed and hope for the best. So I am asking if there are any article or any tuts or any sites or personal information you guys would be able to help me with.

    I have been researching and reading and trying to piece it altogether so I am not expecting you all just to drop me that magical answer but I would like some help and knowledge from those in the field and those who learned through experience the best ways.

    Here is the hardware and software break downs.

    Server:
    Windows 2003 R2 Standard Edition
    SQL Server 2005
    **This connects to inhouse pc's for the database**
    Server is IIS 6.0
    **This also connects the outside customers to the web portions of the database**
    2.5 Gig of ram

    Firewall:
    NetGear FVS318 Prosafe VPN Firewall

    If you need any other information let me know. Please Help.
    Done.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Put the server in the DMZ..

    Pseudo ruleset:
    Allow HTTP(S) from outsite to DMZ.
    Allow HTTP(S) from inside to DMZ
    Allow MSSQL from inside to DMZ

    That should take care of the access. Audit the website for any SQL injection holes..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Junior Member
    Join Date
    Jan 2006
    Posts
    18
    So you think that is all that would needed to be done? Should I host the actual website on another server or can I keep it together on one server?
    Done.

  4. #4
    Junior Member
    Join Date
    Jan 2006
    Posts
    18
    I have been doing some reading and wouldn't putting my server in the DMZ zone create a threat. I mean it would no longer be protected by the physical firewall. Is this a correct assumption?
    Done.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    No, the DMZ is between 2 firewalls...

    <Internet>--->[firewall1]---<DMZ>---[firewall2]---<Internal network>

    You could implement a DMZ with just one firewall though..

    Interface1: Internet
    Interface2: DMZ
    Interface3: Internal network

    really bad ascii drawing:
    Code:
    <internet>------>[firewall]-----<internal network>
                          \
                           \---<DMZ>
    Just make sure the rules are correctly setup..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides