Ask the Expert

Firewall recommendations for a busy Web server

What kind of firewall would you recommend for a government organization's Web servers that can expect tens of thousands of attacks in any given day? (Price is not an issue.) We plan to host on IIS using ASP, and Windows 2003 and IIS 6.0.

Requires Free Membership to View

Without a lot more information about your needs and environment, it's impossible to provide a meaningful recommendation. Also, many books have been written to answer these questions so I can barely even scratch the surface here. I would very strongly suggest you find a qualified information security consulting firm to evaluate your project's needs and assist you with design and implementation. Proper firewall configuration is not plug and play, nor is it as simple as it may seem. Likewise, IIS is very tricky to secure and keep secured.

Implementing a defense in depth is critical. One layer of security, such as a firewall, will never be 100% secure. The more layers you have the less likely an attack will penetrate them all, so after you design the firewall architecture you will want to consider both network and host-based intrusion-detection systems (IDS) and intrusion-prevention systems (IPS). A properly configured network based IDS (such has Snort) on the DMZ segment with your Web server will alert you if potentially malicious traffic manages to get though your firewall, while a host-based IDS (HIDS) will alert you of potentially malicious events on the Web server itself. Network or host-based IPS try to identify and prevent malicious traffic instead of just detecting it as an IDS does.

Compartmentalization is another layer of defense. Any publicly accessible services, such as your Web server, should be hosted on a DMZ or "service network." This network is separated from the rest of your environment by either another firewall (ideally running a different firewall product and different operating system) or another interface on your main firewall (often called a "three-legged" firewall). Be very strict about the traffic allowed from the Internet to the Web server and from the Web server into the rest of the network. Also, do not place the database on the same server as the Web server. The goal of compartmentalization is that if the Web server is compromised, only that server and potentially the service network is at risk -- the rest of the environment, especially your important database, is relatively safe behind the firewall.

For more info on this topic, please visit these resources:
  • Best Web Links: Securing the Internet/e-commerce
  • Featured Topic: Firewall evolution
  • Ask the Expert: Comparing Microsoft IIS and Apache Web servers

    This was first published in January 2004

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: