Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > NZ Computing > Setting up a webserver

Reply
Thread Tools

Setting up a webserver

 
 
Ray Greene
Guest
Posts: n/a
 
      08-08-2009
I'm looking for some advice on setting up a public web server.
We'll have a Cisco 877 router with the webserver on its own subnet,
going back through the Cisco through a second NIC on another subnet to
a SQL server sitting on the main network.

The webserver will be running IIS on 2003 Server. The Cisco will also
be providing internet access for the main network.

The connection between the webserver and the SQL server will be locked
down as tightly as possible in the Cisco.

Also there's a possibility that the SQL server and webserver might end
up running on VMware.

I've never done this before but I understand this kind of setup is
fairly standard. Are there any potential security issues to look out
for?

--
Ray Greene
 
Reply With Quote
 
 
 
 
Lawrence D'Oliveiro
Guest
Posts: n/a
 
      08-08-2009
In message <(E-Mail Removed)>, Ray Greene wrote:

> Are there any potential security issues to look out for?


The usual ones from poorly-written applications: SQL injection, cross-site
scripting, poorly-secured access, that sort of thing.
 
Reply With Quote
 
 
 
 
Ray Greene
Guest
Posts: n/a
 
      08-08-2009
On Sat, 08 Aug 2009 23:23:10 +1200, Lawrence D'Oliveiro
<(E-Mail Removed)_zealand> wrote:

>In message <(E-Mail Removed)>, Ray Greene wrote:
>
>> Are there any potential security issues to look out for?

>
>The usual ones from poorly-written applications: SQL injection, cross-site
>scripting, poorly-secured access, that sort of thing.


Thanks.

--
Ray Greene
 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      08-08-2009
Ray Greene wrote:
> I'm looking for some advice on setting up a public web server.
> We'll have a Cisco 877 router with the webserver on its own subnet,
> going back through the Cisco through a second NIC on another subnet to
> a SQL server sitting on the main network.
>
> The webserver will be running IIS on 2003 Server. The Cisco will also
> be providing internet access for the main network.
>
> The connection between the webserver and the SQL server will be locked
> down as tightly as possible in the Cisco.
>
> Also there's a possibility that the SQL server and webserver might end
> up running on VMware.
>
> I've never done this before but I understand this kind of setup is
> fairly standard. Are there any potential security issues to look out
> for?
>

The usual setup is two routers. One connects to the Internet on one side
and the web server and second router on the other through a switch (in
your case this could be the integrated switch). The SQL server and any
other machines will be behind the second router. Incoming Web originated
traffic will be routed directly to the web server by the first router,
and everything else incoming which is web originated will be blocked
(ignoring other services such as mail traffic for simplicity) Outgoing
SQL traffic will be blocked and only incoming SQL traffic from the Web
server will be allowed by the second router. No incoming Web originated
traffic will be allowed through the second router. Any outgoing Web
traffic will be allowed through the second router directly to the
internet router.

What you are essentially proposing is merging the two routers. While
this will work, it is not the optimum. For a few hundred bucks extra for
a second router you could have a much nicer set up.

Cheers,

Cliff

--

The Internet is interesting in that although the nicknames may change,
the same old personalities show through.
 
Reply With Quote
 
Ray Greene
Guest
Posts: n/a
 
      08-09-2009
On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <(E-Mail Removed)>
wrote:

>Ray Greene wrote:
>> I'm looking for some advice on setting up a public web server.
>> We'll have a Cisco 877 router with the webserver on its own subnet,
>> going back through the Cisco through a second NIC on another subnet to
>> a SQL server sitting on the main network.
>>
>> The webserver will be running IIS on 2003 Server. The Cisco will also
>> be providing internet access for the main network.
>>
>> The connection between the webserver and the SQL server will be locked
>> down as tightly as possible in the Cisco.
>>
>> Also there's a possibility that the SQL server and webserver might end
>> up running on VMware.
>>
>> I've never done this before but I understand this kind of setup is
>> fairly standard. Are there any potential security issues to look out
>> for?
>>

>The usual setup is two routers. One connects to the Internet on one side
>and the web server and second router on the other through a switch (in
>your case this could be the integrated switch). The SQL server and any
>other machines will be behind the second router. Incoming Web originated
>traffic will be routed directly to the web server by the first router,
>and everything else incoming which is web originated will be blocked
>(ignoring other services such as mail traffic for simplicity) Outgoing
>SQL traffic will be blocked and only incoming SQL traffic from the Web
>server will be allowed by the second router. No incoming Web originated
>traffic will be allowed through the second router. Any outgoing Web
>traffic will be allowed through the second router directly to the
>internet router.
>
>What you are essentially proposing is merging the two routers. While
>this will work, it is not the optimum. For a few hundred bucks extra for
>a second router you could have a much nicer set up.
>

Thanks for the explanation Cliff. It sounds like a nice clean way to
do it.

I've been assured that a single Cisco can do thie job safely, but I
suspect that the assurance is based on theory rather than practical
experience.

Any idea of how big the security risk is? I have to explain all this
to the boss and he likes to ask these questions. Plus as always the
budget is $[as little as possible]

--
Ray Greene
 
Reply With Quote
 
Stephen Worthington
Guest
Posts: n/a
 
      08-09-2009
On Sun, 09 Aug 2009 12:25:06 +1200, Ray Greene <(E-Mail Removed)> wrote:

>On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <(E-Mail Removed)>
>wrote:
>
>>Ray Greene wrote:
>>> I'm looking for some advice on setting up a public web server.
>>> We'll have a Cisco 877 router with the webserver on its own subnet,
>>> going back through the Cisco through a second NIC on another subnet to
>>> a SQL server sitting on the main network.
>>>
>>> The webserver will be running IIS on 2003 Server. The Cisco will also
>>> be providing internet access for the main network.
>>>
>>> The connection between the webserver and the SQL server will be locked
>>> down as tightly as possible in the Cisco.
>>>
>>> Also there's a possibility that the SQL server and webserver might end
>>> up running on VMware.
>>>
>>> I've never done this before but I understand this kind of setup is
>>> fairly standard. Are there any potential security issues to look out
>>> for?
>>>

>>The usual setup is two routers. One connects to the Internet on one side
>>and the web server and second router on the other through a switch (in
>>your case this could be the integrated switch). The SQL server and any
>>other machines will be behind the second router. Incoming Web originated
>>traffic will be routed directly to the web server by the first router,
>>and everything else incoming which is web originated will be blocked
>>(ignoring other services such as mail traffic for simplicity) Outgoing
>>SQL traffic will be blocked and only incoming SQL traffic from the Web
>>server will be allowed by the second router. No incoming Web originated
>>traffic will be allowed through the second router. Any outgoing Web
>>traffic will be allowed through the second router directly to the
>>internet router.
>>
>>What you are essentially proposing is merging the two routers. While
>>this will work, it is not the optimum. For a few hundred bucks extra for
>>a second router you could have a much nicer set up.
>>

>Thanks for the explanation Cliff. It sounds like a nice clean way to
>do it.
>
>I've been assured that a single Cisco can do thie job safely, but I
>suspect that the assurance is based on theory rather than practical
>experience.
>
>Any idea of how big the security risk is? I have to explain all this
>to the boss and he likes to ask these questions. Plus as always the
>budget is $[as little as possible]


It is certainly possible to do it with one router, but if you make a
mistake in the config, then you can get packets going where they
should not. That is less easy to do with two routers. But the new
zone based security config makes it much easier to set up separate
zones and control what is allowed to pass between them. It is only
available for IPv4 so far, but is available in recent IOS 12.4
versions. I have it in the 877 I just got, but have not tried using
it yet (I just mostly copied the setup I had in my old 827).

For what you are doing, I believe you will need the more expensive
Advanced IP Services image, as IIRC, the ordinary Advanced Security
image does not allow you to set up separate Vlans on each of the
ethernet ports to keep their traffic separate. Using all four
ethernet ports as one ethernet switch is obviously not going to work
if you want separate subnets.
 
Reply With Quote
 
Nik Coughlin
Guest
Posts: n/a
 
      08-09-2009
"Ray Greene" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm looking for some advice on setting up a public web server.


....

> The webserver will be running IIS on 2003 Server.


Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
migrated from the former and ugh, would not go back for anything.

 
Reply With Quote
 
Ray Greene
Guest
Posts: n/a
 
      08-09-2009
On Sun, 09 Aug 2009 13:16:03 +1200, Stephen Worthington
<(E-Mail Removed)34.nz56.remove_numbers> wrote:

>On Sun, 09 Aug 2009 12:25:06 +1200, Ray Greene <(E-Mail Removed)> wrote:
>
>>On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <(E-Mail Removed)>
>>wrote:
>>
>>>Ray Greene wrote:
>>>> I'm looking for some advice on setting up a public web server.
>>>> We'll have a Cisco 877 router with the webserver on its own subnet,
>>>> going back through the Cisco through a second NIC on another subnet to
>>>> a SQL server sitting on the main network.
>>>>
>>>> The webserver will be running IIS on 2003 Server. The Cisco will also
>>>> be providing internet access for the main network.
>>>>
>>>> The connection between the webserver and the SQL server will be locked
>>>> down as tightly as possible in the Cisco.
>>>>
>>>> Also there's a possibility that the SQL server and webserver might end
>>>> up running on VMware.
>>>>
>>>> I've never done this before but I understand this kind of setup is
>>>> fairly standard. Are there any potential security issues to look out
>>>> for?
>>>>
>>>The usual setup is two routers. One connects to the Internet on one side
>>>and the web server and second router on the other through a switch (in
>>>your case this could be the integrated switch). The SQL server and any
>>>other machines will be behind the second router. Incoming Web originated
>>>traffic will be routed directly to the web server by the first router,
>>>and everything else incoming which is web originated will be blocked
>>>(ignoring other services such as mail traffic for simplicity) Outgoing
>>>SQL traffic will be blocked and only incoming SQL traffic from the Web
>>>server will be allowed by the second router. No incoming Web originated
>>>traffic will be allowed through the second router. Any outgoing Web
>>>traffic will be allowed through the second router directly to the
>>>internet router.
>>>
>>>What you are essentially proposing is merging the two routers. While
>>>this will work, it is not the optimum. For a few hundred bucks extra for
>>>a second router you could have a much nicer set up.
>>>

>>Thanks for the explanation Cliff. It sounds like a nice clean way to
>>do it.
>>
>>I've been assured that a single Cisco can do thie job safely, but I
>>suspect that the assurance is based on theory rather than practical
>>experience.
>>
>>Any idea of how big the security risk is? I have to explain all this
>>to the boss and he likes to ask these questions. Plus as always the
>>budget is $[as little as possible]

>
>It is certainly possible to do it with one router, but if you make a
>mistake in the config, then you can get packets going where they
>should not. That is less easy to do with two routers. But the new
>zone based security config makes it much easier to set up separate
>zones and control what is allowed to pass between them. It is only
>available for IPv4 so far, but is available in recent IOS 12.4
>versions. I have it in the 877 I just got, but have not tried using
>it yet (I just mostly copied the setup I had in my old 827).
>
>For what you are doing, I believe you will need the more expensive
>Advanced IP Services image, as IIRC, the ordinary Advanced Security
>image does not allow you to set up separate Vlans on each of the
>ethernet ports to keep their traffic separate. Using all four
>ethernet ports as one ethernet switch is obviously not going to work
>if you want separate subnets.


Thanks for that Stephen. Are security zones a viable alternative to
vlans for this type of application?

--
Ray Greene
 
Reply With Quote
 
Ray Greene
Guest
Posts: n/a
 
      08-09-2009
On Sun, 9 Aug 2009 13:21:18 +1200, "Nik Coughlin" <(E-Mail Removed)>
wrote:

>"Ray Greene" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> I'm looking for some advice on setting up a public web server.

>
>...
>
>> The webserver will be running IIS on 2003 Server.

>
>Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
>migrated from the former and ugh, would not go back for anything.


Just a matter of using what we're familiar with really. What did you
like most about IIS7 and 2008?

--
Ray Greene
 
Reply With Quote
 
Enkidu
Guest
Posts: n/a
 
      08-09-2009
Ray Greene wrote:
> On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <(E-Mail Removed)>
> wrote:
>
>> Ray Greene wrote:
>>> I'm looking for some advice on setting up a public web server.
>>> We'll have a Cisco 877 router with the webserver on its own subnet,
>>> going back through the Cisco through a second NIC on another subnet to
>>> a SQL server sitting on the main network.
>>>
>>> The webserver will be running IIS on 2003 Server. The Cisco will also
>>> be providing internet access for the main network.
>>>
>>> The connection between the webserver and the SQL server will be locked
>>> down as tightly as possible in the Cisco.
>>>
>>> Also there's a possibility that the SQL server and webserver might end
>>> up running on VMware.
>>>
>>> I've never done this before but I understand this kind of setup is
>>> fairly standard. Are there any potential security issues to look out
>>> for?
>>>

>> The usual setup is two routers. One connects to the Internet on one side
>> and the web server and second router on the other through a switch (in
>> your case this could be the integrated switch). The SQL server and any
>> other machines will be behind the second router. Incoming Web originated
>> traffic will be routed directly to the web server by the first router,
>> and everything else incoming which is web originated will be blocked
>> (ignoring other services such as mail traffic for simplicity) Outgoing
>> SQL traffic will be blocked and only incoming SQL traffic from the Web
>> server will be allowed by the second router. No incoming Web originated
>> traffic will be allowed through the second router. Any outgoing Web
>> traffic will be allowed through the second router directly to the
>> internet router.
>>
>> What you are essentially proposing is merging the two routers. While
>> this will work, it is not the optimum. For a few hundred bucks extra for
>> a second router you could have a much nicer set up.
>>

> Thanks for the explanation Cliff. It sounds like a nice clean way to
> do it.
>
> I've been assured that a single Cisco can do thie job safely, but I
> suspect that the assurance is based on theory rather than practical
> experience.
>

I don't doubt that the Cisco could do it safely.
>
> Any idea of how big the security risk is? I have to explain all this
> to the boss and he likes to ask these questions. Plus as always the
> budget is $[as little as possible]
>

A small misconfiguration could make your LAN network not as secure as it
might be. Just think, your LAN boxes are connected directly to a device
that connects directly to the Internet. If you use 'private' address
ranges behind the router, that's a help, but if the router is
compromised your LAN is compromised. A misconfiguration of the router
could also make your LAN accessible via a potentially compromised Web
server.

Security is like a castle - first there's the outer walls, then there's
an area where you let people in when times are safe to deliver
provisions and interact with your people, then there's the keep that you
let no one who is not trusted in.

Cheers,

Cliff

--

The Internet is interesting in that although the nicknames may change,
the same old personalities show through.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
setting Onclick and setting the ClientID in behind code isn't working in Mozilla davidr@sharpesoft.com ASP .Net 2 08-22-2006 09:30 PM
setting Onclick and setting the ClientID in behind code isn't working in Mozilla davidr@sharpesoft.com ASP .Net 0 08-21-2006 11:55 PM
python-dev and setting up setting up f2py on Windows XP Sile Python 5 08-18-2006 08:13 AM
tomcat 4.x : setting mime type for a directory or setting a default mime type CJ Java 1 10-29-2004 07:51 PM
Setting a configurable time-out setting for all the communication initiated with Remoting object. Srinivasa Raghavan Sethuraman ASP .Net 0 06-30-2004 10:05 AM



Advertisments