Setting up a webserver

Discussion in 'NZ Computing' started by Ray Greene, Aug 8, 2009.

  1. Ray Greene

    Ray Greene Guest

    I'm looking for some advice on setting up a public web server.
    We'll have a Cisco 877 router with the webserver on its own subnet,
    going back through the Cisco through a second NIC on another subnet to
    a SQL server sitting on the main network.

    The webserver will be running IIS on 2003 Server. The Cisco will also
    be providing internet access for the main network.

    The connection between the webserver and the SQL server will be locked
    down as tightly as possible in the Cisco.

    Also there's a possibility that the SQL server and webserver might end
    up running on VMware.

    I've never done this before but I understand this kind of setup is
    fairly standard. Are there any potential security issues to look out
    for?

    --
    Ray Greene
     
    Ray Greene, Aug 8, 2009
    #1
    1. Advertising

  2. In message <>, Ray Greene wrote:

    > Are there any potential security issues to look out for?


    The usual ones from poorly-written applications: SQL injection, cross-site
    scripting, poorly-secured access, that sort of thing.
     
    Lawrence D'Oliveiro, Aug 8, 2009
    #2
    1. Advertising

  3. Ray Greene

    Ray Greene Guest

    On Sat, 08 Aug 2009 23:23:10 +1200, Lawrence D'Oliveiro
    <_zealand> wrote:

    >In message <>, Ray Greene wrote:
    >
    >> Are there any potential security issues to look out for?

    >
    >The usual ones from poorly-written applications: SQL injection, cross-site
    >scripting, poorly-secured access, that sort of thing.


    Thanks.

    --
    Ray Greene
     
    Ray Greene, Aug 8, 2009
    #3
  4. Ray Greene

    Enkidu Guest

    Ray Greene wrote:
    > I'm looking for some advice on setting up a public web server.
    > We'll have a Cisco 877 router with the webserver on its own subnet,
    > going back through the Cisco through a second NIC on another subnet to
    > a SQL server sitting on the main network.
    >
    > The webserver will be running IIS on 2003 Server. The Cisco will also
    > be providing internet access for the main network.
    >
    > The connection between the webserver and the SQL server will be locked
    > down as tightly as possible in the Cisco.
    >
    > Also there's a possibility that the SQL server and webserver might end
    > up running on VMware.
    >
    > I've never done this before but I understand this kind of setup is
    > fairly standard. Are there any potential security issues to look out
    > for?
    >

    The usual setup is two routers. One connects to the Internet on one side
    and the web server and second router on the other through a switch (in
    your case this could be the integrated switch). The SQL server and any
    other machines will be behind the second router. Incoming Web originated
    traffic will be routed directly to the web server by the first router,
    and everything else incoming which is web originated will be blocked
    (ignoring other services such as mail traffic for simplicity) Outgoing
    SQL traffic will be blocked and only incoming SQL traffic from the Web
    server will be allowed by the second router. No incoming Web originated
    traffic will be allowed through the second router. Any outgoing Web
    traffic will be allowed through the second router directly to the
    internet router.

    What you are essentially proposing is merging the two routers. While
    this will work, it is not the optimum. For a few hundred bucks extra for
    a second router you could have a much nicer set up.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
     
    Enkidu, Aug 9, 2009
    #4
  5. Ray Greene

    Ray Greene Guest

    On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    wrote:

    >Ray Greene wrote:
    >> I'm looking for some advice on setting up a public web server.
    >> We'll have a Cisco 877 router with the webserver on its own subnet,
    >> going back through the Cisco through a second NIC on another subnet to
    >> a SQL server sitting on the main network.
    >>
    >> The webserver will be running IIS on 2003 Server. The Cisco will also
    >> be providing internet access for the main network.
    >>
    >> The connection between the webserver and the SQL server will be locked
    >> down as tightly as possible in the Cisco.
    >>
    >> Also there's a possibility that the SQL server and webserver might end
    >> up running on VMware.
    >>
    >> I've never done this before but I understand this kind of setup is
    >> fairly standard. Are there any potential security issues to look out
    >> for?
    >>

    >The usual setup is two routers. One connects to the Internet on one side
    >and the web server and second router on the other through a switch (in
    >your case this could be the integrated switch). The SQL server and any
    >other machines will be behind the second router. Incoming Web originated
    >traffic will be routed directly to the web server by the first router,
    >and everything else incoming which is web originated will be blocked
    >(ignoring other services such as mail traffic for simplicity) Outgoing
    >SQL traffic will be blocked and only incoming SQL traffic from the Web
    >server will be allowed by the second router. No incoming Web originated
    >traffic will be allowed through the second router. Any outgoing Web
    >traffic will be allowed through the second router directly to the
    >internet router.
    >
    >What you are essentially proposing is merging the two routers. While
    >this will work, it is not the optimum. For a few hundred bucks extra for
    >a second router you could have a much nicer set up.
    >

    Thanks for the explanation Cliff. It sounds like a nice clean way to
    do it.

    I've been assured that a single Cisco can do thie job safely, but I
    suspect that the assurance is based on theory rather than practical
    experience.

    Any idea of how big the security risk is? I have to explain all this
    to the boss and he likes to ask these questions. Plus as always the
    budget is $[as little as possible] :)

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #5
  6. On Sun, 09 Aug 2009 12:25:06 +1200, Ray Greene <> wrote:

    >On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    >wrote:
    >
    >>Ray Greene wrote:
    >>> I'm looking for some advice on setting up a public web server.
    >>> We'll have a Cisco 877 router with the webserver on its own subnet,
    >>> going back through the Cisco through a second NIC on another subnet to
    >>> a SQL server sitting on the main network.
    >>>
    >>> The webserver will be running IIS on 2003 Server. The Cisco will also
    >>> be providing internet access for the main network.
    >>>
    >>> The connection between the webserver and the SQL server will be locked
    >>> down as tightly as possible in the Cisco.
    >>>
    >>> Also there's a possibility that the SQL server and webserver might end
    >>> up running on VMware.
    >>>
    >>> I've never done this before but I understand this kind of setup is
    >>> fairly standard. Are there any potential security issues to look out
    >>> for?
    >>>

    >>The usual setup is two routers. One connects to the Internet on one side
    >>and the web server and second router on the other through a switch (in
    >>your case this could be the integrated switch). The SQL server and any
    >>other machines will be behind the second router. Incoming Web originated
    >>traffic will be routed directly to the web server by the first router,
    >>and everything else incoming which is web originated will be blocked
    >>(ignoring other services such as mail traffic for simplicity) Outgoing
    >>SQL traffic will be blocked and only incoming SQL traffic from the Web
    >>server will be allowed by the second router. No incoming Web originated
    >>traffic will be allowed through the second router. Any outgoing Web
    >>traffic will be allowed through the second router directly to the
    >>internet router.
    >>
    >>What you are essentially proposing is merging the two routers. While
    >>this will work, it is not the optimum. For a few hundred bucks extra for
    >>a second router you could have a much nicer set up.
    >>

    >Thanks for the explanation Cliff. It sounds like a nice clean way to
    >do it.
    >
    >I've been assured that a single Cisco can do thie job safely, but I
    >suspect that the assurance is based on theory rather than practical
    >experience.
    >
    >Any idea of how big the security risk is? I have to explain all this
    >to the boss and he likes to ask these questions. Plus as always the
    >budget is $[as little as possible] :)


    It is certainly possible to do it with one router, but if you make a
    mistake in the config, then you can get packets going where they
    should not. That is less easy to do with two routers. But the new
    zone based security config makes it much easier to set up separate
    zones and control what is allowed to pass between them. It is only
    available for IPv4 so far, but is available in recent IOS 12.4
    versions. I have it in the 877 I just got, but have not tried using
    it yet (I just mostly copied the setup I had in my old 827).

    For what you are doing, I believe you will need the more expensive
    Advanced IP Services image, as IIRC, the ordinary Advanced Security
    image does not allow you to set up separate Vlans on each of the
    ethernet ports to keep their traffic separate. Using all four
    ethernet ports as one ethernet switch is obviously not going to work
    if you want separate subnets.
     
    Stephen Worthington, Aug 9, 2009
    #6
  7. Ray Greene

    Nik Coughlin Guest

    "Ray Greene" <> wrote in message
    news:...
    > I'm looking for some advice on setting up a public web server.


    ....

    > The webserver will be running IIS on 2003 Server.


    Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
    migrated from the former and ugh, would not go back for anything.
     
    Nik Coughlin, Aug 9, 2009
    #7
  8. Ray Greene

    Ray Greene Guest

    On Sun, 09 Aug 2009 13:16:03 +1200, Stephen Worthington
    <34.nz56.remove_numbers> wrote:

    >On Sun, 09 Aug 2009 12:25:06 +1200, Ray Greene <> wrote:
    >
    >>On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    >>wrote:
    >>
    >>>Ray Greene wrote:
    >>>> I'm looking for some advice on setting up a public web server.
    >>>> We'll have a Cisco 877 router with the webserver on its own subnet,
    >>>> going back through the Cisco through a second NIC on another subnet to
    >>>> a SQL server sitting on the main network.
    >>>>
    >>>> The webserver will be running IIS on 2003 Server. The Cisco will also
    >>>> be providing internet access for the main network.
    >>>>
    >>>> The connection between the webserver and the SQL server will be locked
    >>>> down as tightly as possible in the Cisco.
    >>>>
    >>>> Also there's a possibility that the SQL server and webserver might end
    >>>> up running on VMware.
    >>>>
    >>>> I've never done this before but I understand this kind of setup is
    >>>> fairly standard. Are there any potential security issues to look out
    >>>> for?
    >>>>
    >>>The usual setup is two routers. One connects to the Internet on one side
    >>>and the web server and second router on the other through a switch (in
    >>>your case this could be the integrated switch). The SQL server and any
    >>>other machines will be behind the second router. Incoming Web originated
    >>>traffic will be routed directly to the web server by the first router,
    >>>and everything else incoming which is web originated will be blocked
    >>>(ignoring other services such as mail traffic for simplicity) Outgoing
    >>>SQL traffic will be blocked and only incoming SQL traffic from the Web
    >>>server will be allowed by the second router. No incoming Web originated
    >>>traffic will be allowed through the second router. Any outgoing Web
    >>>traffic will be allowed through the second router directly to the
    >>>internet router.
    >>>
    >>>What you are essentially proposing is merging the two routers. While
    >>>this will work, it is not the optimum. For a few hundred bucks extra for
    >>>a second router you could have a much nicer set up.
    >>>

    >>Thanks for the explanation Cliff. It sounds like a nice clean way to
    >>do it.
    >>
    >>I've been assured that a single Cisco can do thie job safely, but I
    >>suspect that the assurance is based on theory rather than practical
    >>experience.
    >>
    >>Any idea of how big the security risk is? I have to explain all this
    >>to the boss and he likes to ask these questions. Plus as always the
    >>budget is $[as little as possible] :)

    >
    >It is certainly possible to do it with one router, but if you make a
    >mistake in the config, then you can get packets going where they
    >should not. That is less easy to do with two routers. But the new
    >zone based security config makes it much easier to set up separate
    >zones and control what is allowed to pass between them. It is only
    >available for IPv4 so far, but is available in recent IOS 12.4
    >versions. I have it in the 877 I just got, but have not tried using
    >it yet (I just mostly copied the setup I had in my old 827).
    >
    >For what you are doing, I believe you will need the more expensive
    >Advanced IP Services image, as IIRC, the ordinary Advanced Security
    >image does not allow you to set up separate Vlans on each of the
    >ethernet ports to keep their traffic separate. Using all four
    >ethernet ports as one ethernet switch is obviously not going to work
    >if you want separate subnets.


    Thanks for that Stephen. Are security zones a viable alternative to
    vlans for this type of application?

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #8
  9. Ray Greene

    Ray Greene Guest

    On Sun, 9 Aug 2009 13:21:18 +1200, "Nik Coughlin" <>
    wrote:

    >"Ray Greene" <> wrote in message
    >news:...
    >> I'm looking for some advice on setting up a public web server.

    >
    >...
    >
    >> The webserver will be running IIS on 2003 Server.

    >
    >Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
    >migrated from the former and ugh, would not go back for anything.


    Just a matter of using what we're familiar with really. What did you
    like most about IIS7 and 2008?

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #9
  10. Ray Greene

    Enkidu Guest

    Ray Greene wrote:
    > On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    > wrote:
    >
    >> Ray Greene wrote:
    >>> I'm looking for some advice on setting up a public web server.
    >>> We'll have a Cisco 877 router with the webserver on its own subnet,
    >>> going back through the Cisco through a second NIC on another subnet to
    >>> a SQL server sitting on the main network.
    >>>
    >>> The webserver will be running IIS on 2003 Server. The Cisco will also
    >>> be providing internet access for the main network.
    >>>
    >>> The connection between the webserver and the SQL server will be locked
    >>> down as tightly as possible in the Cisco.
    >>>
    >>> Also there's a possibility that the SQL server and webserver might end
    >>> up running on VMware.
    >>>
    >>> I've never done this before but I understand this kind of setup is
    >>> fairly standard. Are there any potential security issues to look out
    >>> for?
    >>>

    >> The usual setup is two routers. One connects to the Internet on one side
    >> and the web server and second router on the other through a switch (in
    >> your case this could be the integrated switch). The SQL server and any
    >> other machines will be behind the second router. Incoming Web originated
    >> traffic will be routed directly to the web server by the first router,
    >> and everything else incoming which is web originated will be blocked
    >> (ignoring other services such as mail traffic for simplicity) Outgoing
    >> SQL traffic will be blocked and only incoming SQL traffic from the Web
    >> server will be allowed by the second router. No incoming Web originated
    >> traffic will be allowed through the second router. Any outgoing Web
    >> traffic will be allowed through the second router directly to the
    >> internet router.
    >>
    >> What you are essentially proposing is merging the two routers. While
    >> this will work, it is not the optimum. For a few hundred bucks extra for
    >> a second router you could have a much nicer set up.
    >>

    > Thanks for the explanation Cliff. It sounds like a nice clean way to
    > do it.
    >
    > I've been assured that a single Cisco can do thie job safely, but I
    > suspect that the assurance is based on theory rather than practical
    > experience.
    >

    I don't doubt that the Cisco could do it safely.
    >
    > Any idea of how big the security risk is? I have to explain all this
    > to the boss and he likes to ask these questions. Plus as always the
    > budget is $[as little as possible] :)
    >

    A small misconfiguration could make your LAN network not as secure as it
    might be. Just think, your LAN boxes are connected directly to a device
    that connects directly to the Internet. If you use 'private' address
    ranges behind the router, that's a help, but if the router is
    compromised your LAN is compromised. A misconfiguration of the router
    could also make your LAN accessible via a potentially compromised Web
    server.

    Security is like a castle - first there's the outer walls, then there's
    an area where you let people in when times are safe to deliver
    provisions and interact with your people, then there's the keep that you
    let no one who is not trusted in.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
     
    Enkidu, Aug 9, 2009
    #10
  11. Ray Greene

    Nik Coughlin Guest

    "Ray Greene" <> wrote in message
    news:...
    > On Sun, 9 Aug 2009 13:21:18 +1200, "Nik Coughlin" <>
    > wrote:
    >
    >>"Ray Greene" <> wrote in message
    >>news:...
    >>> I'm looking for some advice on setting up a public web server.

    >>
    >>...
    >>
    >>> The webserver will be running IIS on 2003 Server.

    >>
    >>Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
    >>migrated from the former and ugh, would not go back for anything.

    >
    > Just a matter of using what we're familiar with really. What did you
    > like most about IIS7 and 2008?


    Just a much nicer interface for IIS7 than for 6, also it feels a lot faster.
    We're doing a lot of ASP.NET MVC and it works flawlessly on IIS7 whereas we
    had some issues with it on IIS6. They've taken a lot from Apache, modular,
    you can disable things you don't use or need, XML config instead of using a
    metabase etc. etc.

    2008 I couldn't care less about (it's nicer as well but nothing particularly
    standout) but IIS7 doesn't run on 2003.
     
    Nik Coughlin, Aug 9, 2009
    #11
  12. Ray Greene

    Enkidu Guest

    Nik Coughlin wrote:
    >
    > Just a much nicer interface for IIS7 than for 6, also it feels a lot
    > faster. We're doing a lot of ASP.NET MVC and it works flawlessly on
    > IIS7 whereas we had some issues with it on IIS6. They've taken a lot
    > from Apache, modular, you can disable things you don't use or need,
    > XML config instead of using a metabase etc. etc.
    >

    Hands up all those who regularly back up their IIS metabase? Anyone?
    Anyone at all?

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
     
    Enkidu, Aug 9, 2009
    #12
  13. Ray Greene

    Dave Doe Guest

    In article <>,
    says...
    > I'm looking for some advice on setting up a public web server.
    > We'll have a Cisco 877 router with the webserver on its own subnet,
    > going back through the Cisco through a second NIC on another subnet to
    > a SQL server sitting on the main network.
    >
    > The webserver will be running IIS on 2003 Server. The Cisco will also
    > be providing internet access for the main network.
    >
    > The connection between the webserver and the SQL server will be locked
    > down as tightly as possible in the Cisco.
    >
    > Also there's a possibility that the SQL server and webserver might end
    > up running on VMware.
    >
    > I've never done this before but I understand this kind of setup is
    > fairly standard. Are there any potential security issues to look out
    > for?


    Given you've provided little information (Windows Server?, IIS?, SQL
    Server?, IIS access how?, code? user access to data?), best guess is
    just some general answers, some of which have been answered already:
    * server in a private address space
    * access to port 80 only on the router/ADSL/firewall and/or 443 (you
    didn't mention that either).
    * webserver rule above a "block all" rule in ISA (didn't mention that
    either)
    * secure database password
    * secure code
    * post your question (with more information! :) in MS SQL Server and IIS
    newsgroups
    * vmware's good (with Hyper V, major updates require a fuken reboot (of
    course! :) - so (depending on your requirements) it's useless)

    --
    Duncan
     
    Dave Doe, Aug 9, 2009
    #13
  14. Ray Greene

    Dave Doe Guest

    In article <-september.org>,
    says...
    > In article <>,
    > says...
    > > I'm looking for some advice on setting up a public web server.
    > > We'll have a Cisco 877 router with the webserver on its own subnet,
    > > going back through the Cisco through a second NIC on another subnet to
    > > a SQL server sitting on the main network.
    > >
    > > The webserver will be running IIS on 2003 Server. The Cisco will also
    > > be providing internet access for the main network.
    > >
    > > The connection between the webserver and the SQL server will be locked
    > > down as tightly as possible in the Cisco.
    > >
    > > Also there's a possibility that the SQL server and webserver might end
    > > up running on VMware.
    > >
    > > I've never done this before but I understand this kind of setup is
    > > fairly standard. Are there any potential security issues to look out
    > > for?

    >
    > Given you've provided little information (Windows Server?, IIS?, SQL
    > Server?, IIS access how?, code? user access to data?), best guess is
    > just some general answers, some of which have been answered already:
    > * server in a private address space
    > * access to port 80 only on the router/ADSL/firewall and/or 443 (you
    > didn't mention that either).
    > * webserver rule above a "block all" rule in ISA (didn't mention that
    > either)
    > * secure database password
    > * secure code
    > * post your question (with more information! :) in MS SQL Server and IIS
    > newsgroups
    > * vmware's good (with Hyper V, major updates require a fuken reboot (of
    > course! :) - so (depending on your requirements) it's useless)


    * and website in it's own app pool in IIS.

    --
    Duncan
     
    Dave Doe, Aug 9, 2009
    #14
  15. Ray Greene

    Dave Doe Guest

    In article <4a7e5489$>,
    says...
    > Nik Coughlin wrote:
    > >
    > > Just a much nicer interface for IIS7 than for 6, also it feels a lot
    > > faster. We're doing a lot of ASP.NET MVC and it works flawlessly on
    > > IIS7 whereas we had some issues with it on IIS6. They've taken a lot
    > > from Apache, modular, you can disable things you don't use or need,
    > > XML config instead of using a metabase etc. etc.
    > >

    > Hands up all those who regularly back up their IIS metabase? Anyone?
    > Anyone at all?


    <put's hand up>. Who *doesn't* - these (IIS) days.

    --
    Duncan
     
    Dave Doe, Aug 9, 2009
    #15
  16. Ray Greene

    Enkidu Guest

    Dave Doe wrote:
    > In article <4a7e5489$>,
    > says...
    >> Nik Coughlin wrote:
    >>> Just a much nicer interface for IIS7 than for 6, also it feels a lot
    >>> faster. We're doing a lot of ASP.NET MVC and it works flawlessly on
    >>> IIS7 whereas we had some issues with it on IIS6. They've taken a lot
    >>> from Apache, modular, you can disable things you don't use or need,
    >>> XML config instead of using a metabase etc. etc.
    >>>

    >> Hands up all those who regularly back up their IIS metabase? Anyone?
    >> Anyone at all?

    >
    > <put's hand up>. Who *doesn't* - these (IIS) days.
    >

    All those on overseas $5 hosting plans for a start...

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
     
    Enkidu, Aug 9, 2009
    #16
  17. On Sun, 09 Aug 2009 13:51:20 +1200, Ray Greene <> wrote:

    >On Sun, 09 Aug 2009 13:16:03 +1200, Stephen Worthington
    ><34.nz56.remove_numbers> wrote:
    >
    >>On Sun, 09 Aug 2009 12:25:06 +1200, Ray Greene <> wrote:
    >>
    >>>On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    >>>wrote:
    >>>
    >>>>Ray Greene wrote:
    >>>>> I'm looking for some advice on setting up a public web server.
    >>>>> We'll have a Cisco 877 router with the webserver on its own subnet,
    >>>>> going back through the Cisco through a second NIC on another subnet to
    >>>>> a SQL server sitting on the main network.
    >>>>>
    >>>>> The webserver will be running IIS on 2003 Server. The Cisco will also
    >>>>> be providing internet access for the main network.
    >>>>>
    >>>>> The connection between the webserver and the SQL server will be locked
    >>>>> down as tightly as possible in the Cisco.
    >>>>>
    >>>>> Also there's a possibility that the SQL server and webserver might end
    >>>>> up running on VMware.
    >>>>>
    >>>>> I've never done this before but I understand this kind of setup is
    >>>>> fairly standard. Are there any potential security issues to look out
    >>>>> for?
    >>>>>
    >>>>The usual setup is two routers. One connects to the Internet on one side
    >>>>and the web server and second router on the other through a switch (in
    >>>>your case this could be the integrated switch). The SQL server and any
    >>>>other machines will be behind the second router. Incoming Web originated
    >>>>traffic will be routed directly to the web server by the first router,
    >>>>and everything else incoming which is web originated will be blocked
    >>>>(ignoring other services such as mail traffic for simplicity) Outgoing
    >>>>SQL traffic will be blocked and only incoming SQL traffic from the Web
    >>>>server will be allowed by the second router. No incoming Web originated
    >>>>traffic will be allowed through the second router. Any outgoing Web
    >>>>traffic will be allowed through the second router directly to the
    >>>>internet router.
    >>>>
    >>>>What you are essentially proposing is merging the two routers. While
    >>>>this will work, it is not the optimum. For a few hundred bucks extra for
    >>>>a second router you could have a much nicer set up.
    >>>>
    >>>Thanks for the explanation Cliff. It sounds like a nice clean way to
    >>>do it.
    >>>
    >>>I've been assured that a single Cisco can do thie job safely, but I
    >>>suspect that the assurance is based on theory rather than practical
    >>>experience.
    >>>
    >>>Any idea of how big the security risk is? I have to explain all this
    >>>to the boss and he likes to ask these questions. Plus as always the
    >>>budget is $[as little as possible] :)

    >>
    >>It is certainly possible to do it with one router, but if you make a
    >>mistake in the config, then you can get packets going where they
    >>should not. That is less easy to do with two routers. But the new
    >>zone based security config makes it much easier to set up separate
    >>zones and control what is allowed to pass between them. It is only
    >>available for IPv4 so far, but is available in recent IOS 12.4
    >>versions. I have it in the 877 I just got, but have not tried using
    >>it yet (I just mostly copied the setup I had in my old 827).
    >>
    >>For what you are doing, I believe you will need the more expensive
    >>Advanced IP Services image, as IIRC, the ordinary Advanced Security
    >>image does not allow you to set up separate Vlans on each of the
    >>ethernet ports to keep their traffic separate. Using all four
    >>ethernet ports as one ethernet switch is obviously not going to work
    >>if you want separate subnets.

    >
    >Thanks for that Stephen. Are security zones a viable alternative to
    >vlans for this type of application?


    They are separate issues. The Vlans I am talking about are not the
    usual ones as you understand them. They are the ones you have to use
    on an 877 to use its ethernet ports. The ethernet ports are set up
    basically as an ethernet switch with all four ports on it. Instead of
    setting up your routing directly on the FastEthernet[0-3] interfaces,
    you have a Vlan1 that automatically exists and is the interface to all
    four ethernet ports. That is apparently all you get in the Advanced
    Security images. In the Advanced IP images, you can make more Vlans
    (up to one per ethernet port) and basically assign each of the
    ethernet ports to one Vlan, and then route individually to each port
    via their respective Vlans. I have my 877 set up with FastEthernet0
    on Vlan1 and the others on Vlan2, and Vlans 1 & 2 have separate IP
    addresses and effectively work as though they were the ethernet ports,
    with Vlan2 having three switched ethernet ports on it:

    interface FastEthernet0
    switchport access vlan 1
    exit
    interface FastEthernet1
    switchport access vlan 2
    exit
    interface FastEthernet2
    switchport access vlan 2
    exit
    interface FastEthernet3
    switchport access vlan 2
    exit
    !
    interface Vlan1
    ip address 10.0.1.253 255.255.255.0
    ip access-group 102 in
    ip flow ingress
    ip nat inside
    ip virtual-reassembly
    exit
    !
    interface Vlan2
    ip address 10.1.1.253 255.255.255.0
    ip access-group 103 in
    exit

    As well as those special Vlans, you can have the normal sort too.
     
    Stephen Worthington, Aug 9, 2009
    #17
  18. Ray Greene

    Ray Greene Guest

    On Sun, 09 Aug 2009 18:31:56 +1200, Stephen Worthington
    <34.nz56.remove_numbers> wrote:

    >They are separate issues. The Vlans I am talking about are not the
    >usual ones as you understand them. They are the ones you have to use
    >on an 877 to use its ethernet ports. The ethernet ports are set up
    >basically as an ethernet switch with all four ports on it. Instead of
    >setting up your routing directly on the FastEthernet[0-3] interfaces,
    >you have a Vlan1 that automatically exists and is the interface to all
    >four ethernet ports. That is apparently all you get in the Advanced
    >Security images. In the Advanced IP images, you can make more Vlans
    >(up to one per ethernet port) and basically assign each of the
    >ethernet ports to one Vlan, and then route individually to each port
    >via their respective Vlans. I have my 877 set up with FastEthernet0
    >on Vlan1 and the others on Vlan2, and Vlans 1 & 2 have separate IP
    >addresses and effectively work as though they were the ethernet ports,
    >with Vlan2 having three switched ethernet ports on it:
    >
    >interface FastEthernet0
    > switchport access vlan 1
    > exit
    >interface FastEthernet1
    > switchport access vlan 2
    > exit
    >interface FastEthernet2
    > switchport access vlan 2
    > exit
    >interface FastEthernet3
    > switchport access vlan 2
    > exit
    >!
    >interface Vlan1
    > ip address 10.0.1.253 255.255.255.0
    > ip access-group 102 in
    > ip flow ingress
    > ip nat inside
    > ip virtual-reassembly
    > exit
    >!
    >interface Vlan2
    > ip address 10.1.1.253 255.255.255.0
    > ip access-group 103 in
    > exit
    >
    >As well as those special Vlans, you can have the normal sort too.


    Thanks for the explanation Stephen, that makes it clearer.

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #18
  19. Ray Greene

    Ray Greene Guest

    On Sun, 09 Aug 2009 15:24:23 +1200, Enkidu <>
    wrote:

    >Ray Greene wrote:
    >> On Sun, 09 Aug 2009 11:07:04 +1200, Enkidu <>
    >> wrote:
    >>
    >>> Ray Greene wrote:
    >>>> I'm looking for some advice on setting up a public web server.
    >>>> We'll have a Cisco 877 router with the webserver on its own subnet,
    >>>> going back through the Cisco through a second NIC on another subnet to
    >>>> a SQL server sitting on the main network.
    >>>>
    >>>> The webserver will be running IIS on 2003 Server. The Cisco will also
    >>>> be providing internet access for the main network.
    >>>>
    >>>> The connection between the webserver and the SQL server will be locked
    >>>> down as tightly as possible in the Cisco.
    >>>>
    >>>> Also there's a possibility that the SQL server and webserver might end
    >>>> up running on VMware.
    >>>>
    >>>> I've never done this before but I understand this kind of setup is
    >>>> fairly standard. Are there any potential security issues to look out
    >>>> for?
    >>>>
    >>> The usual setup is two routers. One connects to the Internet on one side
    >>> and the web server and second router on the other through a switch (in
    >>> your case this could be the integrated switch). The SQL server and any
    >>> other machines will be behind the second router. Incoming Web originated
    >>> traffic will be routed directly to the web server by the first router,
    >>> and everything else incoming which is web originated will be blocked
    >>> (ignoring other services such as mail traffic for simplicity) Outgoing
    >>> SQL traffic will be blocked and only incoming SQL traffic from the Web
    >>> server will be allowed by the second router. No incoming Web originated
    >>> traffic will be allowed through the second router. Any outgoing Web
    >>> traffic will be allowed through the second router directly to the
    >>> internet router.
    >>>
    >>> What you are essentially proposing is merging the two routers. While
    >>> this will work, it is not the optimum. For a few hundred bucks extra for
    >>> a second router you could have a much nicer set up.
    >>>

    >> Thanks for the explanation Cliff. It sounds like a nice clean way to
    >> do it.
    >>
    >> I've been assured that a single Cisco can do thie job safely, but I
    >> suspect that the assurance is based on theory rather than practical
    >> experience.
    >>

    >I don't doubt that the Cisco could do it safely.
    > >
    >> Any idea of how big the security risk is? I have to explain all this
    >> to the boss and he likes to ask these questions. Plus as always the
    >> budget is $[as little as possible] :)
    >>

    >A small misconfiguration could make your LAN network not as secure as it
    >might be. Just think, your LAN boxes are connected directly to a device
    >that connects directly to the Internet. If you use 'private' address
    >ranges behind the router, that's a help, but if the router is
    >compromised your LAN is compromised. A misconfiguration of the router
    >could also make your LAN accessible via a potentially compromised Web
    >server.


    Fair enough. If we do go for just one router I'll make sure it's well
    tested before it goes into operation.

    >Security is like a castle - first there's the outer walls, then there's
    >an area where you let people in when times are safe to deliver
    >provisions and interact with your people, then there's the keep that you
    >let no one who is not trusted in.
    >

    Nice analogy, but you could have slipped in a torture chamber and the
    royal harem somewhere :)

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #19
  20. Ray Greene

    Ray Greene Guest

    On Sun, 9 Aug 2009 16:20:16 +1200, "Nik Coughlin" <>
    wrote:

    >"Ray Greene" <> wrote in message
    >news:...
    >> On Sun, 9 Aug 2009 13:21:18 +1200, "Nik Coughlin" <>
    >> wrote:
    >>
    >>>"Ray Greene" <> wrote in message
    >>>news:...
    >>>> I'm looking for some advice on setting up a public web server.
    >>>
    >>>...
    >>>
    >>>> The webserver will be running IIS on 2003 Server.
    >>>
    >>>Is there a good reason for going with IIS6/2003 over IIS7/2008? We just
    >>>migrated from the former and ugh, would not go back for anything.

    >>
    >> Just a matter of using what we're familiar with really. What did you
    >> like most about IIS7 and 2008?

    >
    >Just a much nicer interface for IIS7 than for 6, also it feels a lot faster.
    >We're doing a lot of ASP.NET MVC and it works flawlessly on IIS7 whereas we
    >had some issues with it on IIS6. They've taken a lot from Apache, modular,
    >you can disable things you don't use or need, XML config instead of using a
    >metabase etc. etc.
    >
    >2008 I couldn't care less about (it's nicer as well but nothing particularly
    >standout) but IIS7 doesn't run on 2003.


    OK, thanks Nik. I'll mention that to the web developer.

    --
    Ray Greene
     
    Ray Greene, Aug 9, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gilbert T. Gutierrez, Jr.
    Replies:
    0
    Views:
    579
    Gilbert T. Gutierrez, Jr.
    Oct 21, 2003
  2. Travis Best

    Force Ip Address to webserver

    Travis Best, Dec 1, 2003, in forum: Cisco
    Replies:
    2
    Views:
    1,554
    Spencer Teran
    Dec 13, 2003
  3. Fred Atkinson

    Micro Webserver

    Fred Atkinson, Feb 13, 2004, in forum: Cisco
    Replies:
    0
    Views:
    713
    Fred Atkinson
    Feb 13, 2004
  4. Fred Atkinson

    PAT to Webserver

    Fred Atkinson, May 24, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,701
    Fred Atkinson
    May 27, 2004
  5. Ben Bosshardt

    PIX-515 Configuration with Webserver

    Ben Bosshardt, May 29, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,034
    Ben Bosshardt
    Jun 2, 2004
Loading...

Share This Page