Protecting the Server - Network tiers and the DMZ
(Page 4 of 4 )
Multiple firewalls can be used to build tiers within trust boundaries. By building a tier with a firewall all the rules controlling access to that tier can be managed on each end. This allows for a flexible yet restrictive network configuration.
Where we see this type of configuration most is in the setup of a traditional demilitarized zone (DMZ) style firewall configuration. Figure 4-1 shows a typical tiered network.
Figure 4-1. A tiered network architecture
If an attack happens within the DMZ it is isolated to this segment of the network, thereby limiting the damage an attacker can do. The secondary firewall protects the internal network in the event a DMZ machine is compromised.
Separation of duties Boy, that’s a beefy machine you got there. It’s going to make a fine web server. However, you might be thinking it’s big enough to do everything (Web, FTP, news, mail, and so on), and it might be. But, the problem is that if the machine is compromised, everything is compromised. You don’t want that; that would be bad.
Thus it is a good practice to isolate these services and spread out functionality by creating a separate hardened machine for each major Internet service:
- Firewalls
- Proxies and gateway servers
- Web servers
- Application servers
- Database servers
- Logging servers
- Email servers
- FTP servers
Running these services separately limits the impact of an attack and reduces the surface area with which the attacker has to work. Yep, that’s right. Now you have an excuse to buy more machines! Remember, you are the one who wanted to get into the web site hosting business, right?
At the very least, there should be a point on your network before the web server that you can use as a point of inspection and detection. You may not need a full DMZ type setup, but if you are going to play on the Internet, I advise that you at least have a well-configured router and a firewall. Now that the network is prepared we can go back to building that web server.
Please check back next week for the continuation of this article.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter four of the book Securing Ajax Applications: Ensuring the Safety of the Dynamic Web, written by Christopher Wells (O'Reilly, 2007; ISBN: 0596529317). Check it out today at your favorite bookstore. Buy this book now.
|
|
