Additionally since you have a SQL backend you have to look at the redundancy there.
When thinking redundancy, you have to think all the way down the line. Internet, firewalls, routers, switches, etc. You may already have that or not, but take it into consideration. From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2008 6:51 AM To: NT System Admin Issues Subject: RE: Web Server Spec Question... Load Balancing in Win2k3 works, but not going to be too much more scalable beyond 10 machines. I would look definitely at a hardware based load balancing solution you can grow with in the future, like I said before F5 is one of the big ones, and works pretty well, a lot more configurable than Windows Load Balancing ever will be. I wouldn't have it talking to a SQL server internal to the network, if the Webserver gets hacked, first thing I am down with 0wning the box is reviewing your web-application code looking for the database backend, with the Web-server being trusted, gives me a clear shot to get access through your firewall to an internal system either that or to use the compromised host to mine your internal company data, and then make off with it without you even knowing it, because the queries of the database is coming from what you believe is a trusted host, but its been compromised. You might want to look into something like tripwire for the DMZ hosts or HIDS agent ( Cisco CSA< etc etc) for additional protection. You can also do this remotely, with SQL Injection into poor coded scripts by developer that down sanitize input. Look at the following websites, http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Prevalent -Are-SQL-Injection-Vulnerabilities_3F00_.aspx http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard -Against-SQL-Injection-Attacks.aspx http://www.owasp.org/index.php/Top_10_2007-A2#Protection Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Chyka, Robert [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2008 9:40 AM To: NT System Admin Issues Subject: RE: Web Server Spec Question... Good info. thanks Edward. Putting it into a DMZ is no issue but what if we have to talk to a sql server that is on our interneal network? Thanks for your great info.. How well does 2003 load balancing work? And should we be looking at 2008 for os now? thanks _____ From: Ziots, Edward [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2008 9:00 AM To: NT System Admin Issues Subject: RE: Web Server Spec Question... I would look into putting Load balancing into effect, so I would look at either Windows 2003 Load balancing, or better yet, looking at F5 GTM/LTM and create VIP's for the physical webservers, so you can take them offline without affecting the entire site, ( Basically taking a physical IP out from being answered by the VIP, do your maintience, and then put it back in) Content, RAID 5 or RAID 1, but have it on a partition different than the OS, also make sure that your have an Application Pool with a account that can only access its content. SO directory with Content for Site 1, Application Pool with Process Identity 1, which only has NTFS permissions to Directory with Content for Site 1, no others ( Explictly deny it) ( Do the same to isolate all the web-sites) Add the URLSCAN and configure accordingly to block malicious url seuqnences, and look into a Application Layer Firewall which specifically looks and monitors Web-traffic, so to stop a lot of hacking attempts trying to pipe within SSL traffic or Obfuscated sequences) Use Web Hacking tools like W3AF from Source-Force, Nikto, Wfetch to test for SQL Injection, Web application CSS, and other flaws, use Metasploit, Canavas or Core Impact to pound on the OS from a cracking prespective. This is only the beginning, and keep that stuff on a DMZ that is totally isolated and doesn't talk internal to organization. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Chyka, Robert [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2008 8:42 AM To: NT System Admin Issues Subject: Web Server Spec Question... We currently have our web site hosted off site on a partner's network. We are now brining it to our site for hosting. We have to buy a web server etc. it is going to run under IIS and needs 99.999% uptime. Would you cluster the server, just rely on redundant power, raid on the hds etc, or ???. Alos is it best to have the content be on a Raid 1 disk set? Just looking for some opinions etc. Thanks..Bob ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
