Webserver in DMZ?

At my old company we used to put the IIS web server, containing our asp and
asp.net websites, in the DMZ and the database on a machine that was behind
the firewall. In this scenario we knew we would be risking exposure of
everything on the webserver.

Is this still the prefered way to setup a webserver and database server?
Someone was telling me that the webserver should be behind the firewall but
there is so much software using various ports that this seems impractical.

What is best practice today? Is there some material available on this?

I know I should be posting this in the aspnet.security forum but it's dark
and dusty over there.
Thanks,
T

Re: Webserver in DMZ?

"Best" depends on how far you want to go.

A webserver...which talks to WCF Services...would be one of the more safe
ways to handle the setup. (one opinion among many mind you)

Check
channel9
for 2 videos by Greg Leake.

He goes over this scenario. The webserver talks through WCF to service(s),
and the services deal with the BAL and eventually the db access.

...

You need to list out your goals. There isn't one cure-all solution.




"Tina" wrote in message
news:eDbra4fYIHA.3712@TK2MSFTNGP06.phx.gbl...
> At my old company we used to put the IIS web server, containing our asp
> and asp.net websites, in the DMZ and the database on a machine that was
> behind the firewall. In this scenario we knew we would be risking
> exposure of everything on the webserver.
>
> Is this still the prefered way to setup a webserver and database server?
> Someone was telling me that the webserver should be behind the firewall
> but there is so much software using various ports that this seems
> impractical.
>
> What is best practice today? Is there some material available on this?
>
> I know I should be posting this in the aspnet.security forum but it's dark
> and dusty over there.
> Thanks,
> T
>

Re: Webserver in DMZ?

Hi

Let's say that your client need to connect via ftp in an passive mode. Then
you have problems for the ftp server. I have no Windows Server experiens of
this but the Linux Server that I maintained needed to be in a passive mode
since the server told the client what port to connet to. We where using
Linux and the vsftpd server that comes with Linux (Fedora 5). What you
shouldn't do on a server that is connected to a DMZ is to hae a SMTP server
running. In now way use an SMTP server on for DMZ connection. You could use
a router with DMZ on and the install some firewall software where you tell
which program that can access all ports or receive connections on all ports.
I think Norton Antifirewall can do this. At least on a PC, don't know how it
is for a Windows Server.

Lars


"sloan" skrev i meddelandet
news:uZw$A8fYIHA.5164@TK2MSFTNGP03.phx.gbl...
>
> "Best" depends on how far you want to go.
>
> A webserver...which talks to WCF Services...would be one of the more safe
> ways to handle the setup. (one opinion among many mind you)
>
> Check
> channel9
> for 2 videos by Greg Leake.
>
> He goes over this scenario. The webserver talks through WCF to
> service(s), and the services deal with the BAL and eventually the db
> access.
>
> ..
>
> You need to list out your goals. There isn't one cure-all solution.
>
>
>
>
> "Tina" wrote in message
> news:eDbra4fYIHA.3712@TK2MSFTNGP06.phx.gbl...
>> At my old company we used to put the IIS web server, containing our asp
>> and asp.net websites, in the DMZ and the database on a machine that was
>> behind the firewall. In this scenario we knew we would be risking
>> exposure of everything on the webserver.
>>
>> Is this still the prefered way to setup a webserver and database server?
>> Someone was telling me that the webserver should be behind the firewall
>> but there is so much software using various ports that this seems
>> impractical.
>>
>> What is best practice today? Is there some material available on this?
>>
>> I know I should be posting this in the aspnet.security forum but it's
>> dark and dusty over there.
>> Thanks,
>> T
>>
>
>

Re: Webserver in DMZ?

Correction in CAPATLIZED below

Sorry, just a typing error

Lars

"rosoft" skrev i meddelandet
news:qJtnj.3247$R_4.2322@newsb.telia.net...
> Hi
>
> Let's say that your client need to connect via ftp in an passive mode.
> Then you have problems for the ftp server. I have no Windows Server
> experiens of this but the Linux Server that I maintained needed to be in a
> ACTIVE (not passive) mode since the server told the client what port to
> connet to. We where using Linux and the vsftpd server that comes with
> Linux (Fedora 5). What you shouldn't do on a server that is connected to a
> DMZ is to hae a SMTP server running. In now way use an SMTP server on for
> DMZ connection. You could use a router with DMZ on and the install some
> firewall software where you tell which program that can access all ports
> or receive connections on all ports. I think Norton Antifirewall can do
> this. At least on a PC, don't know how it is for a Windows Server.
>
> Lars
>
>
> "sloan" skrev i meddelandet
> news:uZw$A8fYIHA.5164@TK2MSFTNGP03.phx.gbl...
>>
>> "Best" depends on how far you want to go.
>>
>> A webserver...which talks to WCF Services...would be one of the more safe
>> ways to handle the setup. (one opinion among many mind you)
>>
>> Check
>> channel9
>> for 2 videos by Greg Leake.
>>
>> He goes over this scenario. The webserver talks through WCF to
>> service(s), and the services deal with the BAL and eventually the db
>> access.
>>
>> ..
>>
>> You need to list out your goals. There isn't one cure-all solution.
>>
>>
>>
>>
>> "Tina" wrote in message
>> news:eDbra4fYIHA.3712@TK2MSFTNGP06.phx.gbl...
>>> At my old company we used to put the IIS web server, containing our asp
>>> and asp.net websites, in the DMZ and the database on a machine that was
>>> behind the firewall. In this scenario we knew we would be risking
>>> exposure of everything on the webserver.
>>>
>>> Is this still the prefered way to setup a webserver and database server?
>>> Someone was telling me that the webserver should be behind the firewall
>>> but there is so much software using various ports that this seems
>>> impractical.
>>>
>>> What is best practice today? Is there some material available on this?
>>>
>>> I know I should be posting this in the aspnet.security forum but it's
>>> dark and dusty over there.
>>> Thanks,
>>> T
>>>
>>
>>
>
>