KalAajKal.com :: Home Page  
Articles Quotations Lyrics Recipes Info               
Bookmark this Site  Set it as your HomePage                       
 
 
 Article Categories

  Animals articles  Animals
  Automobiles articles  Automobiles
  Business articles  Business
  Career articles  Career
  Computers articles  Computers
  Computer Programming articles  Computer Programming
  Entertainment articles  Entertainment
  Environment articles  Environment
  Family articles  Family
  Food articles  Food
  Health & Medical articles  Health & Medical
  Home & Garden articles  Home & Garden
  Humor articles  Humor
  Internet Marketing articles  Internet Marketing
  Legal articles  Legal
  Leisure & Recreation articles  Leisure & Recreation
  Marketing articles  Marketing
  Other articles  Other
  Politics articles  Politics
  Religion articles  Religion
  Sports articles  Sports
  Technology & Science articles  Technology & Science
  Travel articles  Travel
  Writing articles  Writing
  Finance articles  Finance
  Internet Business articles  Internet Business
  Communications articles  Communications
  Advice articles  Advice
  Self Improvement articles  Self Improvement
  Fashion articles  Fashion
  Reference & Education articles  Reference & Education
 
 
   


   
   
Categories :: Business : Networking Articles
 


 

Category :: Networking Author :: Chris Weight 
 
 Article Title :: Web Servers and Firewall Zones
 
Web and FTP Servers

Every network that has an internet connection is at risk of being compromised. Whilst there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.

However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (or demilitarised zone if you prefer its proper name). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and keep the backup solution separate from the LAN backup solution.

The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.
Therefore if any hacker where to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.

In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services or VNC.

Database servers

If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the secure zone, and to place the database server there.
The Secure zone is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).

Exceptions to the rule

The dilemma faced by network engineers is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN. Therefore in our opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However we would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (with the firewall handling the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is never a good thing.)

Article Source: http://www.articledashboard.com

Chris Weight is a writer for www.stekno.com , information for IT professionals
 
More Networking Articles 
 
 

Content that published and provided on this web site is for informational purposes only. We accept no responsibility for any loss, damages or inconvenience sustained by any person or authority resulting from information published on this web site. We encourage and request you to verify any critical information with the relevant authorities.

   
  Articles  |  Lyrics  |  Quotations  Facts  |  Plants  |  Names  |  Biography  |  Jokes  |  Recipes 
   
Copyright © 2007  KalAajKal.com.  All Rights Reserved.