Webserver in DMZ?

[Tina]

At my old company we used to put the IIS web server, containing our asp and
asp.net websites, in the DMZ and the database on a machine that was behind
the firewall. In this scenario we knew we would be risking exposure of
everything on the webserver.

Is this still the prefered way to setup a webserver and database server?
Someone was telling me that the webserver should be behind the firewall but
there is so much software using various ports that this seems impractical.

What is best practice today? Is there some material available on this?

I know I should be posting this in the aspnet.security forum but it's dark
and dusty over there.
Thanks,
T

 

[sloan]

"Best" depends on how far you want to go.

A webserver...which talks to WCF Services...would be one of the more safe
ways to handle the setup. (one opinion among many mind you)

Check
channel9
for 2 videos by Greg Leake.

He goes over this scenario. The webserver talks through WCF to service(s),
and the services deal with the BAL and eventually the db access.

...

You need to list out your goals. There isn't one cure-all solution.

 

[rosoft]

Hi

Let's say that your client need to connect via ftp in an passive mode. Then
you have problems for the ftp server. I have no Windows Server experiens of
this but the Linux Server that I maintained needed to be in a passive mode
since the server told the client what port to connet to. We where using
Linux and the vsftpd server that comes with Linux (Fedora 5). What you
shouldn't do on a server that is connected to a DMZ is to hae a SMTP server
running. In now way use an SMTP server on for DMZ connection. You could use
a router with DMZ on and the install some firewall software where you tell
which program that can access all ports or receive connections on all ports.
I think Norton Antifirewall can do this. At least on a PC, don't know how it
is for a Windows Server.

Lars

 

[rosoft]

Correction in CAPATLIZED below

Sorry, just a typing error

Lars