Q
Problem solve Get help with specific problems with your technologies, process and projects.

Secure DMZ Web server setup advice

Network security expert Anand Sastry describes how to ensure a secure DMZ Web server setup involving network attached storage (NAS).

I need to put a Web server inside a DMZ, and the server needs to access data residing on a network attached storage...

(NAS) box on the internal network. What would be some best practices for implementing a secure DMZ Web server?

This is a good question and we tend to see this requirement quite often. Traditionally you would want to separate any Internet-facing systems and supporting components into their own dedicated space (i.e. separate from internal systems).

Expanding on this initial thought to ensure the best possible level of security with a DMZ Web server setup, consider hosting the NAS device on its own dedicated network segment. Should the Web server ever be compromised, collateral damage will be kept to a minimum. By collateral damage, I mean mitigating the risk of the attacker getting to the NAS box and, in turn, the rest of the network. This will also allow you to set up tactical choke points to monitor for malicious activity. An example of such a deployment would be to set up an inline Web application firewall (WAF) or intrusion prevention system (IPS) to protect the downstream link (i.e. on the DMZ interface link).

From a networking perspective, I would enforce the appropriate inbound access control lists (ACLs) to be as restrictive as possible to the NAS from the DMZ server. For example, leverage built-in firewall security restrictions, which prevent traffic from an untrusted interface (e.g. Internet/DMZ) from flowing to a trusted interface (e.g. internal). In addition, access to the Internet-facing DMZ should be restricted to the appropriate application ports (typically TCP port 80 and TCP port 443). Consider enforcing a restrictive outbound ACL to control traffic from the internal network to the DMZ.

All other traditional server-hardening rules apply, especially on the DMZ swing. If you are primarily dealing with static content on the NAS, consider some form of a file integrity-monitoring system. Tripwire Inc. offers a commercial product, and the AIDE open source tool can be found on SourceForge.

This was last published in June 2010

Dig Deeper on Enterprise network security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close