Webserver in DMZ?

Discussion in 'ASP .Net' started by Tina, Jan 28, 2008.

  1. Tina

    Tina Guest

    At my old company we used to put the IIS web server, containing our asp and
    asp.net websites, in the DMZ and the database on a machine that was behind
    the firewall. In this scenario we knew we would be risking exposure of
    everything on the webserver.

    Is this still the prefered way to setup a webserver and database server?
    Someone was telling me that the webserver should be behind the firewall but
    there is so much software using various ports that this seems impractical.

    What is best practice today? Is there some material available on this?

    I know I should be posting this in the aspnet.security forum but it's dark
    and dusty over there.
    Thanks,
    T
    Tina, Jan 28, 2008
    #1
    1. Advertising

  2. Tina

    sloan Guest

    "Best" depends on how far you want to go.

    A webserver...which talks to WCF Services...would be one of the more safe
    ways to handle the setup. (one opinion among many mind you)

    Check
    channel9
    for 2 videos by Greg Leake.

    He goes over this scenario. The webserver talks through WCF to service(s),
    and the services deal with the BAL and eventually the db access.

    ...

    You need to list out your goals. There isn't one cure-all solution.




    "Tina" <> wrote in message
    news:...
    > At my old company we used to put the IIS web server, containing our asp
    > and asp.net websites, in the DMZ and the database on a machine that was
    > behind the firewall. In this scenario we knew we would be risking
    > exposure of everything on the webserver.
    >
    > Is this still the prefered way to setup a webserver and database server?
    > Someone was telling me that the webserver should be behind the firewall
    > but there is so much software using various ports that this seems
    > impractical.
    >
    > What is best practice today? Is there some material available on this?
    >
    > I know I should be posting this in the aspnet.security forum but it's dark
    > and dusty over there.
    > Thanks,
    > T
    >
    sloan, Jan 28, 2008
    #2
    1. Advertising

  3. Tina

    rosoft Guest

    Hi

    Let's say that your client need to connect via ftp in an passive mode. Then
    you have problems for the ftp server. I have no Windows Server experiens of
    this but the Linux Server that I maintained needed to be in a passive mode
    since the server told the client what port to connet to. We where using
    Linux and the vsftpd server that comes with Linux (Fedora 5). What you
    shouldn't do on a server that is connected to a DMZ is to hae a SMTP server
    running. In now way use an SMTP server on for DMZ connection. You could use
    a router with DMZ on and the install some firewall software where you tell
    which program that can access all ports or receive connections on all ports.
    I think Norton Antifirewall can do this. At least on a PC, don't know how it
    is for a Windows Server.

    Lars


    "sloan" <> skrev i meddelandet
    news:uZw$...
    >
    > "Best" depends on how far you want to go.
    >
    > A webserver...which talks to WCF Services...would be one of the more safe
    > ways to handle the setup. (one opinion among many mind you)
    >
    > Check
    > channel9
    > for 2 videos by Greg Leake.
    >
    > He goes over this scenario. The webserver talks through WCF to
    > service(s), and the services deal with the BAL and eventually the db
    > access.
    >
    > ..
    >
    > You need to list out your goals. There isn't one cure-all solution.
    >
    >
    >
    >
    > "Tina" <> wrote in message
    > news:...
    >> At my old company we used to put the IIS web server, containing our asp
    >> and asp.net websites, in the DMZ and the database on a machine that was
    >> behind the firewall. In this scenario we knew we would be risking
    >> exposure of everything on the webserver.
    >>
    >> Is this still the prefered way to setup a webserver and database server?
    >> Someone was telling me that the webserver should be behind the firewall
    >> but there is so much software using various ports that this seems
    >> impractical.
    >>
    >> What is best practice today? Is there some material available on this?
    >>
    >> I know I should be posting this in the aspnet.security forum but it's
    >> dark and dusty over there.
    >> Thanks,
    >> T
    >>

    >
    >
    rosoft, Jan 28, 2008
    #3
  4. Tina

    rosoft Guest

    Correction in CAPATLIZED below

    Sorry, just a typing error

    Lars

    "rosoft" <> skrev i meddelandet
    news:qJtnj.3247$...
    > Hi
    >
    > Let's say that your client need to connect via ftp in an passive mode.
    > Then you have problems for the ftp server. I have no Windows Server
    > experiens of this but the Linux Server that I maintained needed to be in a
    > ACTIVE (not passive) mode since the server told the client what port to
    > connet to. We where using Linux and the vsftpd server that comes with
    > Linux (Fedora 5). What you shouldn't do on a server that is connected to a
    > DMZ is to hae a SMTP server running. In now way use an SMTP server on for
    > DMZ connection. You could use a router with DMZ on and the install some
    > firewall software where you tell which program that can access all ports
    > or receive connections on all ports. I think Norton Antifirewall can do
    > this. At least on a PC, don't know how it is for a Windows Server.
    >
    > Lars
    >
    >
    > "sloan" <> skrev i meddelandet
    > news:uZw$...
    >>
    >> "Best" depends on how far you want to go.
    >>
    >> A webserver...which talks to WCF Services...would be one of the more safe
    >> ways to handle the setup. (one opinion among many mind you)
    >>
    >> Check
    >> channel9
    >> for 2 videos by Greg Leake.
    >>
    >> He goes over this scenario. The webserver talks through WCF to
    >> service(s), and the services deal with the BAL and eventually the db
    >> access.
    >>
    >> ..
    >>
    >> You need to list out your goals. There isn't one cure-all solution.
    >>
    >>
    >>
    >>
    >> "Tina" <> wrote in message
    >> news:...
    >>> At my old company we used to put the IIS web server, containing our asp
    >>> and asp.net websites, in the DMZ and the database on a machine that was
    >>> behind the firewall. In this scenario we knew we would be risking
    >>> exposure of everything on the webserver.
    >>>
    >>> Is this still the prefered way to setup a webserver and database server?
    >>> Someone was telling me that the webserver should be behind the firewall
    >>> but there is so much software using various ports that this seems
    >>> impractical.
    >>>
    >>> What is best practice today? Is there some material available on this?
    >>>
    >>> I know I should be posting this in the aspnet.security forum but it's
    >>> dark and dusty over there.
    >>> Thanks,
    >>> T
    >>>

    >>
    >>

    >
    >
    rosoft, Jan 29, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill Carpenter

    ASPNET in DMZ - PLEASE HELP

    Bill Carpenter, Apr 21, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    1,296
    Christopher Reed
    Apr 21, 2004
  2. =?Utf-8?B?SklNLkgu?=

    Q: app in DMZ machine

    =?Utf-8?B?SklNLkgu?=, Jun 23, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    310
    =?Utf-8?B?SklNLkgu?=
    Jun 23, 2005
  3. SQL Connection Slow In DMZ

    , Apr 5, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    486
    bruce barker
    Apr 5, 2007
  4. Paul P

    Deploying Web App inside a DMZ

    Paul P, Mar 5, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    133
    Paul Glavich
    Mar 7, 2004
  5. Steve S

    DMZ, Firewall and COM+

    Steve S, Aug 18, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    131
    Steve S
    Aug 18, 2004
Loading...

Share This Page