Web Servers and Firewall Zones
出典: くみこみックス
Web and FTP Servers
Each network that has an internet connection is at threat of being compromised. Whilst there are numerous methods that you can take to secure your LAN, the only true answer is to close your LAN to incoming site visitors, and restrict outgoing visitors.
Nonetheless some services such as net or FTP servers need incoming connections. If you need these services you will need to have to think about whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network recognized as a DMZ (or demilitarised zone if you choose its suitable name). Ideally all servers in the DMZ will be stand alone servers, with distinctive logons and passwords for every single server. If you demand a backup server for machines inside the DMZ then you must obtain a dedicated machine and keep the backup answer separate from the LAN backup solution.
The DMZ will come directly off the firewall, which implies that there are two routes in and out of the DMZ, targeted traffic to and from the world wide web, and traffic to and from the LAN. Site visitors in between the DMZ and your LAN would be treated completely separately to traffic in between your DMZ and the Net. Incoming visitors from the net would be routed directly to your DMZ.
For that reason if any hacker where to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have tiny or no access to the LAN. It would also be the case that any virus infection or other security compromise inside the LAN would free smtp server service not be in a position to migrate to the DMZ.
In order for the DMZ to be helpful, you will have to maintain the targeted traffic between the LAN and the DMZ to a minimum. In the majority of situations, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also require some sort of remote management protocol such as terminal solutions or VNC.
Database servers
If your internet servers need access to a database server, then you will need to take into account where to location your database. The most secure location to locate a database server is to develop however free smtp outgoing mail server another physically separate network known as the secure zone, and to location the database server there.
The Secure zone is also a physically separate network linked straight to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if essential).
Exceptions to the rule
The dilemma faced by network engineers is where to place the email server. It needs SMTP connection to the web, but it also needs domain access from the LAN. If you exactly where to location this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, producing it simply an extension of the LAN. Consequently in our opinion, the only place you can place an e-mail server is on the free outgoing smtp server LAN and allow SMTP site visitors into this server. Nonetheless we would suggest against allowing any form of HTTP access into this server. If your customers require access to their mail from outside the network, it would be far a lot more secure to look at some form of VPN resolution. (with the firewall handling the VPN connections. LAN based VPN servers allow the VPN traffic onto the network prior to it is authenticated, which is never a very good issue.)