-1

I would like some advice about a network layout for a medium company hosting a website/web service.

Currently I have the following Layout in place...Network Layout

I would like the private area (Green) for databases, and the public area (Blue) for webservers. The IIS servers have two NICS; I would like one to be public another to be local and access the databases when they need information. The Firewall in the Private area is needed for VPN / remote access. Any suggestions would be greatly appreciated.

The Switches are Dell Powerconnect 5424 (Private), and Dell Powerconnect 2848 (Public), and the Firewall outside the network is a Juniper. Firewall inside the network for VPN is Watchdog.

TessellatingHeckler
  • 5,726
  • 3
  • 26
  • 44
Ziemer
  • 3
  • 1

1 Answers1

1

If the webservers are on the same LAN as the database servers, then you don't have much of a private and public separation. It would be more common to have a firewall between the two and to only allow database ports and remote access ports through the firewall (and whatever you need to keep your domain working).

The point would be if someone compromises your webservers, they have little access to your database servers. With your diagram, if someone compromises a webserver, they have full access to the database servers through the second NIC.

I would look at having the Juniper firewall between the two networks using VLANs, or move the Watchdog to sit between the two networks, if it's up to the task.

TessellatingHeckler
  • 5,726
  • 3
  • 26
  • 44
  • I would say some kind of firewall with DMZ setup. It does not depend on the type of firewall. – Squidly Sep 24 '11 at 05:29
  • I say the above, but really I'm not so sure a DMZ does all that much for security. A bigger problem is people attacking the webserver with, e.g. SQL Injection, and getting the webserver to legitimately read too much information from the database. You may as well put them all in the same LAN for something of this scale if it makes it easier to patch the servers, and focus most of your effort on securing the website code and putting monitoring / alerting software in place. – TessellatingHeckler Sep 24 '11 at 14:50