How to isolate webserver from local network

[imported_itr]

seeing that my webserver has a high risk of being compromised, i'd like to isolate it from the rest of my network.

 

[n0cmonkey]

Create a DMZ. Create a network segment either off the router or preferably the firewall. Restrict the access in to that network segment to (if all you have is a webserver) http(s). If your firewall keeps state properly, you can block all outgoing connections from the DMZ to the outside world.

 

[imported_itr]

my router (netgear fr114p) has a dmz option. is this the same one you're talking about? even if i set my webserver on the dmz, my local computers can still talk to the webserver and vice versa. so if the webserver does become compromised, wouldn't the rest of my network be as well? do you get what i'm saying?

 

[JackMDS]

Take a look at this page, it was written for another purpose but the same idea (segregation) can be use for the server as well.

Network Segregation - Adding security to Wireless Network (or to any peer to peer Network).

You would have to set ports through two Routers but once it done it would work well.

:sun:

 

[imported_itr]

thanks jack. i'm going to try that after i purchase a second router. would the next step up to secure the network is to buy a dedicated firewall? eg. cisco pix

 

[n0cmonkey]

Originally posted by: itr
my router (netgear fr114p) has a dmz option. is this the same one you're talking about? even if i set my webserver on the dmz, my local computers can still talk to the webserver and vice versa. so if the webserver does become compromised, wouldn't the rest of my network be as well? do you get what i'm saying?

Probably not. The term "DMZ" means "all ports are forwarded to this machine" in SOHO router terminology. It's a damned shame too.

thanks jack. i'm going to try that after i purchase a second router. would the next step up to secure the network is to buy a dedicated firewall? eg. cisco pix

Yes. Maybe not a Pix, but something.

 

[imported_itr]

the dmz does foward all ports to the specified server ip. which would better better, security wise, the two router setup or dmz?

 

[JackMDS]

Network Segregation would provide decent protection as far as the rest of your LAN.

I do not know what you use the server for, the Cisco PIX is a comprehensive hardware if you have the need it is a good solution, and otherwise it might be Overkill.

http://www.enterastream.com/whitepapers/cisco/pix/pix-practical-guide.html

:sun:

 

[n0cmonkey]

Originally posted by: itr
the dmz does foward all ports to the specified server ip. which would better better, security wise, the two router setup or dmz?

A real DMZ is the best option. It will keep that server segmented away from your other systems.

 

[imported_itr]

i guess my router doesn't provide a 'real' dmz since my server can still talk with the rest of the lan. what are some good routers that provide a real dmz?

 

[JackMDS]

Hmm. That is the way Segregation works, the server computer can talk to the rest of the LAN since the LAN is like the Internet to it. However, the LAN's computers should not be able to talk to the Server computer since it is going against the Second Router's NAT-Firewall.

If port 80 on the server's Router is opened, the LAN?s computers would be able to access the Server Web Server pages with the browser the way any Internet server work.

:sun: