Q

Server considerations for internal network application setup

Looking to offer private applications to users on an internal network? In this expert response, Mike Chapple explains why you shouldn't use the same server that provides public applications.

This Content Component encountered an error
I have applications that can be publicly accessed in the DMZ. I need to install an application on the secured side of the network, but the application will need IIS installed on that server. If I do so, using internal IP addresses and not public ones, will IIS vulnerabilities expose my application? What do you advise?
You're on the right track; the applications that require public access should be installed and placed in the DMZ. I'm inferring from your question that you want to offer private applications to users on the internal network, but you want to do so using the same server that provides public applications. I do not recommend this approach for two reasons:

  • Mixing public and private services on the same server exposes you to significant application-layer risk. A flaw in the public application, such as an SQL injection vulnerability, could expose data used by the private application, and no additional layer of control or protection would be provided.

  • Services used solely by internal users do not belong in the same DMZ that provides services to the general public. The purpose of the DMZ is to provide a layer of isolation between public and private services. Even if you install the private application on a separate server within the DMZ, you still run the risk of compromising the server that runs the public processes. If that type of corruption occurs, you could potentially have a compromised server living in the same security zone as the private server. If both servers reside in the DMZ, traffic between them would not be regulated by the firewall.

    My recommendation would be to implement a fourth firewall zone, using a separate network interface card (NIC) on the firewall or virtual LAN (vLAN) technology. This fourth zone -- perhaps call it the "internal DMZ" -- would be for services that process private data and should be restricted to internal users only.

    More information:

  • Learn how VLANs can compartmentalize WLAN traffic.
  • A demilitarized zone protects systems from an affected server, but enterprise users should not be placed in the DMZ. Mike Chapple explains where they belong.
  • This was first published in October 2007

    Dig deeper on DMZ Setup and Configuration

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close