If you have, or are planning to have web servers connected to your network, you will need to consider the security implications.
Web and FTP Servers
Every network that has an internet connection is at risk of being
compromised. Whilst there are several steps that you can take to secure
your LAN, the only real solution is to close your LAN to incoming
traffic, and restrict outgoing traffic.
However some services such as web or FTP servers require incoming
connections. If you require these services you will need to consider
whether it is essential that these servers are part of the LAN, or
whether they can be placed in a physically separate network known as a
DMZ (or demilitarised zone if you prefer its proper name). Ideally all
servers in the DMZ will be stand alone servers, with unique logons and
passwords for each server. If you require a backup server for machines
within the DMZ then you should acquire a dedicated machine and keep the
backup solution separate from the LAN backup solution.
The DMZ will come directly off the firewall, which means that there are
two routes in and out of the DMZ, traffic to and from the internet, and
traffic to and from the LAN. Traffic between the DMZ and your LAN would
be treated totally separately to traffic between your DMZ and the
Internet. Incoming traffic from the internet would be routed directly
to your DMZ.
Therefore if any hacker where to compromise a machine within the DMZ,
then the only network they would have access to would be the DMZ. The
hacker would have little or no access to the LAN. It would also be the
case that any virus infection or other security compromise within the
LAN would not be able to migrate to the DMZ.
In order for the DMZ to be effective, you will have to keep the traffic
between the LAN and the DMZ to a minimum. In the majority of cases, the
only traffic required between the LAN and the DMZ is FTP. If you do not
have physical access to the servers, you will also need some sort of
remote management protocol such as terminal services or VNC.
Database servers
If your web servers require access to a database server, then you will
need to consider where to place your database. The most secure place to
locate a database server is to create yet another physically separate
network called the secure zone, and to place the database server there.
The Secure zone is also a physically separate network connected
directly to the firewall. The Secure zone is by definition the most
secure place on the network. The only access to or from the secure zone
would be the database connection from the DMZ (and LAN if required).
Exceptions to the rule
The dilemma faced by network engineers is where to put the email
server. It requires SMTP connection to the internet, yet it also
requires domain access from the LAN. If you where to place this server
in the DMZ, the domain traffic would compromise the integrity of the
DMZ, making it simply an extension of the LAN. Therefore in our
opinion, the only place you can put an email server is on the LAN and
allow SMTP traffic into this server. However we would recommend against
allowing any form of HTTP access into this server. If your users
require access to their mail from outside the network, it would be far
more secure to look at some form of VPN solution. (with the firewall
handling the VPN connections. LAN based VPN servers allow the VPN
traffic onto the network before it is authenticated, which is never a
good thing.)
