out of curiosity, why would you want to separate the CF API from the webserver with regards to security? that setup doesn't seem to lend itself to being more secure.
-----Original Message----- From: Stacy Young [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 5:47 PM To: CF-Talk Subject: RE: Firewall configuration for CF and SQL (sort of OT) The only thing that should be in your DMZ is a web server with port 443 and 80 open through the firewall...You need can point the web server connector to a remote CF machine to render your templates.... Stace -----Original Message----- From: Bud [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 2:36 PM To: CF-Talk Subject: Re: Firewall configuration for CF and SQL (sort of OT) On 6/27/02, Dustin Snell [Unisyn Software, LLC] penned: >We are attempting to secure our network which was admittedly *not secure* >before. So, we have purchased a 3COM Superstack 3 firewall which is up and >running and seems to be working great. I am wondering what the recommended >topology should be for the Web Server (which is Windows 2000 Server, running >IIS and Coldfusion 4.5) and the SQL Server (diff machine, Windows 2000 >Server, SQL 2000). It seems to me that the web server should be in the DMZ >(in front of the firewall) but I have the following questions. > > > >1) Should the SQL Server be behind the firewall? The answer seems to me to >be yes - if so, what port do I have to open to allow communication between >the Web/CF Server and the SQL Server so that they can still talk to each >other. Our intranet (LAN users) and website (WAN) users need to access the >same database. > I can't say I'm an expert my any means, but I have both my web server and SQL Server behind the firewall.The only access I allow to the SQL box is to TCP/IP on port 1433 for Enterprise Manager and the port for my Remote administration software, and then only from certain IP addresses. I won't let any clients access the SQL Server unless they have a static IP Address, which I haven't needed to at this point. If I get a client with dialup that needs to access SQL Server through Ent. Mgr., I'll cross that bridge then. Not sure why you'd put the web server in the DMZ. I have just the ports needed to be open for the web server, 80, 443, 21, 8383, 8484, (both for web mail) 25, 110, 53 (DNS and mail are currently running on the mail server, but I'm moving mail to a dedicated server in the next week or so). I block all UDP traffic except to port 53 (DNS). I only open the port for my remote administration to my IP address here at home. Once I get mail moved, I'll only have ports 80, 443 and 21 and 53 open to the web server. Hopefully, I'll have the money one day for a dedicated DNS server and can close port 53 also. :) > >These other questions are more off topic but help would still be *very much >* appreciated > >2) For servers in the DMZ, is there any rational reason for them to be in >the domain? Wouldn't it be more secure to keep those machines as >standalone (non-domain) machines so that if they are compromised, all >domain machines are still behind the firewall? The only benefit I can see >to keeping them in the domain is group policy. Can't answer domain questions. My servers are all standalone. >Misc... even more OT: > >3) For those running DNS servers in house, is it customary for you to >actually have a dedicated DNS machine? Or do you, as we currently do, use a >server for dual purpose (maybe it would be an FTP Server and a DNS Server). >Also, are there any "plug and play" DNS "network appliances" available that >wouldn't require a $1000+ license of Windows 2000 server? I can't answer the appliance question, but I'm running DNS using Bind for NT. It's pretty simple and works well. You could probably get a cheap box running Linux and run Bind to avoid the cost of Windows. That's probably what I'll do when I move DNS off the web server. Hope that helped a little. -- Bud Schneehagen - Tropical Web Creations _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ ColdFusion Solutions / eCommerce Development [EMAIL PROTECTED] http://www.twcreations.com/ 954.721.3452 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
