Yea... Everything needs to go behind the router/firewall and just close off all ports, except those necessary to use. Having anything but a router with direct connection to the internet isn't a good idea.
-----Original Message----- From: Chance Ellis [mailto:chance_ellis@;yahoo.com] Posted At: Thursday, October 31, 2002 6:52 AM Posted To: Active Server Pages Conversation: Network Design Subject: RE: Network Design In your design, if someone compromised your web server they would have access to your internal network through the database server. Since these servers are not firewalls, they will be advertising well known ports to exploit. This design makes your Firewall totally useless. This is how your network should look: Internet Router | Hub | Proxy/Firewall ------DMZ-----Web Server | | | HUB | | | DB Server | | Hub-----------IDS Sensor---------- | | Internal LAN At the Firewall, you only allow traffic to tcp ports 80(http) and 443(https) to the web server in the DMZ. You don't allow any originating traffic from the Internet to your LAN. You allow all traffic from your LAN to the Internet, if this is your policy. Your web server should never have a direct connection to the Internet... HTH --- Daniel Field <[EMAIL PROTECTED]> wrote: > This is what I have: > > > Internet Router > | > Hub-------------------Proxy/Firewall > | | > Web Server-------- | > | | | > Hub | | > | | | > DB Server | | > | | | > | | | > Internal Hub---------------- > | > | > Internal Network > > So the Web server and the proxy machine are the only > machines with direct > Internet connections. > > > > > -----Original Message----- > From: Tore Bostrup [mailto:tbostrup@;telocity.com] > Sent: Wednesday, October 30, 2002 23:22 > To: ActiveServerPages > Subject: Re: Network Design > > > I'm wondering where he'll put it in order to secure > the network. I'm not an > expert in configuring DMZ's etc., but this > configuration sounds like it > contains a number of back doors. > > (Copy the below and paste into Notepad with a > proportional font such as > Courier New): > > Internet > | > +---Web Server---------+ > | | | > | +---DB Server---LAN > | | > +---Proxy (Firewall?)--+ > > Regards, > Tore. > > ----- Original Message ----- > From: "Van den Bossche Eric" <[EMAIL PROTECTED]> > To: "ActiveServerPages" <[EMAIL PROTECTED]> > Sent: Wednesday, October 30, 2002 12:05 PM > Subject: RE: Network Design > > > > I guess it is time to put a decent firewall in > place !!!!!! > > > > > > Eric - IT Manager > > > > -----Original Message----- > > From: Daniel Field [mailto:daniel@;worldof.net] > > Sent: Wednesday, 30 October, 2002 17:25 > > To: ActiveServerPages > > Subject: RE: Network Design > > > > > > Its through a secured second network card for the > internal network. > > > > At the moment the DB server is only connected to > the web server via a > > secured LAN (The web server as 3 nics and sits on > 3 networks... live > > internet, secured DB, and internal LAN). > > > > Was justing think I could merge the secured DB LAN > with the secured > internal > > LAN. Think I will leave it as is! > > > > -----Original Message----- > > From: Tore Bostrup [mailto:tbostrup@;telocity.com] > > Sent: Wednesday, October 30, 2002 16:20 > > To: ActiveServerPages > > Subject: Re: Network Design > > > > > > You are brave(?) to allow access to your internal > production DB as well as > > you entire local area network through the web > server... > > > > Besides that, of course all those using the same > DB server will compete > for > > the same resources (the database, CPU, memory, > disk, etc.) on the server. > > > > HTH, > > Tore. > > > > ----- Original Message ----- > > From: "Daniel Field" <[EMAIL PROTECTED]> > > To: "ActiveServerPages" > <[EMAIL PROTECTED]> > > Sent: Wednesday, October 30, 2002 8:48 AM > > Subject: OT: Network Design > > > > > > > If I have the following: > > > > > > Live Internet Network: > > > > > > Web Server (Also connected to Internal LAN via > second network card for > DB > > > Access) > > > Proxy Server (Connected to Internal LAN) > > > > > > Internal LAN: > > > DBServer > > > My Desktop Machines > > > > > > Will my desktop machines cause problems for the > web server connecting to > > the > > > DB server? I.E will it slow the connection down? > > > > > > Dan > > > > > > > > > > > > > _____________________________________________________________________ > > > This e-mail has been scanned for viruses by the > WorldCom Internet > Managed > > Scanning Service - powered by MessageLabs. For > further information visit > > http://www.worldcom.com > > > > > > --- > > > You are currently subscribed to > activeserverpages as: > > [EMAIL PROTECTED] > > > To unsubscribe send a blank email to > > %%email.unsub%% > > > > > > > > > --- > > You are currently subscribed to activeserverpages > as: [EMAIL PROTECTED] > > To unsubscribe send a blank email to > > %%email.unsub%% > > > > > _____________________________________________________________________ > > This e-mail has been scanned for viruses by the > WorldCom Internet Managed > > Scanning Service - powered by MessageLabs. For > further information visit > > http://www.worldcom.com > > > > > > > > > _____________________________________________________________________ > > This e-mail has been scanned for viruses by the > WorldCom Internet Managed > > Scanning Service - powered by MessageLabs. For > further information visit > > http://www.worldcom.com > > > > --- > > You are currently subscribed to activeserverpages > as: [EMAIL PROTECTED] > > To unsubscribe send a blank email to > > %%email.unsub%% > > > > --- > > You are currently subscribed to activeserverpages > as: > [EMAIL PROTECTED] > > To unsubscribe send a blank email to > %%email.unsub%% > > > > > --- > You are currently subscribed to activeserverpages > as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > %%email.unsub%% > > _____________________________________________________________________ > This e-mail has been scanned for viruses by the > WorldCom Internet Managed > Scanning Service - powered by MessageLabs. For > further information visit > http://www.worldcom.com > > > > _____________________________________________________________________ > This e-mail has been scanned for viruses by the > WorldCom Internet Managed Scanning Service - powered > by MessageLabs. For further information visit http://www.worldcom.com > > --- > You are currently subscribed to activeserverpages > as: [EMAIL PROTECTED] > To unsubscribe send a blank email to %%email.unsub%% __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.408 / Virus Database: 230 - Release Date: 10/24/2002 --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
