I need to put a Web server inside a DMZ, and the server needs to access data residing on a network attached storage (NAS) box on the internal network. What would be some best practices for implementing a secure DMZ Web server?
This is a good question and we tend to see this requirement quite often. Traditionally you would want to separate any Internet-facing systems and supporting components into their own dedicated space (i.e. separate from internal systems).
Expanding on this initial thought to ensure the best possible level of security with a DMZ Web server setup, consider hosting the NAS device on its own dedicated network segment. Should the Web server ever be compromised, collateral damage will be kept to a minimum. By collateral damage, I mean mitigating the risk of the attacker getting to the NAS box and, in turn, the rest of the network. This will also allow you to set up tactical choke points to monitor for malicious activity. An example of such a deployment would be to set up an inline Web application firewall (WAF) or intrusion prevention system (IPS) to protect the downstream link (i.e. on the DMZ interface link).
From a networking perspective, I would enforce the appropriate inbound access control lists (ACLs) to be as restrictive as possible to the NAS from the DMZ server. For example, leverage built-in firewall security restrictions, which prevent traffic from an untrusted interface (e.g. Internet/DMZ) from flowing to a trusted interface (e.g. internal). In addition, access to the Internet-facing DMZ should be restricted to the appropriate application ports (typically TCP port 80 and TCP port 443). Consider enforcing a restrictive outbound ACL to control traffic from the internal network to the DMZ.
All other traditional server-hardening rules apply, especially on the DMZ swing. If you are primarily dealing with static content on the NAS, consider some form of a file integrity-monitoring system. Tripwire Inc. offers a commercial product, and the AIDE open source tool can be found on SourceForge.
Dig Deeper on Enterprise network security
Related Q&A from Anand Sastry
While encrypting production servers may seem like a good security move, according to Anand Sastry, doing so may not be worth the resources it uses. Continue Reading
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ... Continue Reading
When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response. Continue Reading