I have a situation where a web server needs to be accessible from the web, with little/no set up on the client side. No big deal, but here's the rub: The server in question is a W2K server running IIS, and just happens to run a mission critical web app (it's this app that needs to be accessible to remote employees). Of course, I'm concerned about hack attempts...
My first thought is to implement a VPN solution. This will suffice for some of the employees, but not all - we can't manage/dictate the remote configuration in all cases. So while a VPN will help, it's not the final solution (or so I think at this time).
Next I thought of setting up an Apache server acting as a proxy to the IIS server, and intercepting known script kiddie hack attempts with a 404. But I'm wondering if this is overkill.
The server in question has all the latest patches (and is kept up to date), and sits behind an IPCop firewall. I don't feel overly comfortable directing port 80 traffic right to the server, but maybe I'm being too paranoid (well, they would loose 10's of thousands of dollars a day if the app is down for more than a few minutes - so maybe I'm not being paranoid enough?).
What is the indended audience for the web server? Is it general public or employees or customers / partners ? The answer will help point you in the right direction.
If it is employees only, then some sort of reverse proxy with htaccess controls and SSL might be all you need. VPN would be overkill if all they need is ports 80/443
If the audience is customers or partners, the above would still work or a vpn to a firewall that only lets 80 thru from there would work.
vpn client | Internet | vpn gateway -> firewall -> dmz with IIS -> firewall <-> internal lan
The first firewall above would only allow port 80 thru to the dmz for vpn clients that have already made it thru the vpn gateway and onto the vpn subnet.
Depends how much you trust your users. You should think about firewalling them from their own servers, exposing just the services they need to see (minimizes chance of a worm coming into your servers via an infected notebook brought into the office)
Since you are mentioning 10's of thousands of lost dollars a day if the system were to be compromised, then I don't think they should even blink twice at a comprehensive multi-layered defence.
You do have errors and omissions insurance, don't you? I wouldn't want to touch this sort of thing without a written contract limiting liability to just the consulting fees involved AND also having insurance in place.
-- [EMAIL PROTECTED] Cyberdex Systems Consulting Corp. (403) 607-4925
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
