I agree, thanks for your help! -Dustin Snell Unisyn Software, LLC ----- Original Message ----- From: "Christopher Olive" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, June 27, 2002 1:17 PM Subject: RE: Firewall configuration for CF and SQL (sort of OT)
> putting the webserver in the DMZ is a good idea, since the majority of web > server compromises are via port 80 anyway. and the principle of the DMZ > (isolated public servers such that, if they are compromised, they cannot be > used as bastion hosts for attacks) applies here. > > -----Original Message----- > From: Bud [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 27, 2002 2:36 PM > To: CF-Talk > Subject: Re: Firewall configuration for CF and SQL (sort of OT) > > > On 6/27/02, Dustin Snell [Unisyn Software, LLC] penned: > >We are attempting to secure our network which was admittedly *not secure* > >before. So, we have purchased a 3COM Superstack 3 firewall which is up and > >running and seems to be working great. I am wondering what the recommended > >topology should be for the Web Server (which is Windows 2000 Server, > running > >IIS and Coldfusion 4.5) and the SQL Server (diff machine, Windows 2000 > >Server, SQL 2000). It seems to me that the web server should be in the > DMZ > >(in front of the firewall) but I have the following questions. > > > > > > > >1) Should the SQL Server be behind the firewall? The answer seems to me > to > >be yes - if so, what port do I have to open to allow communication between > >the Web/CF Server and the SQL Server so that they can still talk to each > >other. Our intranet (LAN users) and website (WAN) users need to access > the > >same database. > > > > I can't say I'm an expert my any means, but I have both my web server > and SQL Server behind the firewall.The only access I allow to the SQL > box is to TCP/IP on port 1433 for Enterprise Manager and the port for > my Remote administration software, and then only from certain IP > addresses. I won't let any clients access the SQL Server unless they > have a static IP Address, which I haven't needed to at this point. If > I get a client with dialup that needs to access SQL Server through > Ent. Mgr., I'll cross that bridge then. > > Not sure why you'd put the web server in the DMZ. I have just the > ports needed to be open for the web server, 80, 443, 21, 8383, 8484, > (both for web mail) 25, 110, 53 (DNS and mail are currently running > on the mail server, but I'm moving mail to a dedicated server in the > next week or so). I block all UDP traffic except to port 53 (DNS). I > only open the port for my remote administration to my IP address here > at home. Once I get mail moved, I'll only have ports 80, 443 and 21 > and 53 open to the web server. Hopefully, I'll have the money one day > for a dedicated DNS server and can close port 53 also. :) > > > > >These other questions are more off topic but help would still be *very > much > >* appreciated > > > >2) For servers in the DMZ, is there any rational reason for them to be in > >the domain? Wouldn't it be more secure to keep those machines as > >standalone (non-domain) machines so that if they are compromised, all > >domain machines are still behind the firewall? The only benefit I can > see > >to keeping them in the domain is group policy. > > Can't answer domain questions. My servers are all standalone. > > >Misc... even more OT: > > > >3) For those running DNS servers in house, is it customary for you to > >actually have a dedicated DNS machine? Or do you, as we currently do, use > a > >server for dual purpose (maybe it would be an FTP Server and a DNS > Server). > >Also, are there any "plug and play" DNS "network appliances" available > that > >wouldn't require a $1000+ license of Windows 2000 server? > > > I can't answer the appliance question, but I'm running DNS using Bind > for NT. It's pretty simple and works well. You could probably get a > cheap box running Linux and run Bind to avoid the cost of Windows. > That's probably what I'll do when I move DNS off the web server. > > Hope that helped a little. > -- > > Bud Schneehagen - Tropical Web Creations > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > ColdFusion Solutions / eCommerce Development > [EMAIL PROTECTED] > http://www.twcreations.com/ > 954.721.3452 > > ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
