Secure DMZ web server configuration Device

Source: Internet
Author: User

Q: I need to put the web server into DMZ, and the server needs to access the data in the network attached storage NAS box on the Intranet. Is there any best practices for building a secure DMZ web server?

A: This is a good question. We often encounter such problems. Generally, you may want to separate the network-oriented systems from the support components and put them in their proprietary spaces, such as separating them from the Intranet ).

Expand this initial idea to ensure that the DMZ Web server has the best possible security level, and consider placing the NAS device on its proprietary network segment. In this way, if the Web server is cracked, the incidental losses will be minimized. The incidental loss is to mitigate the risk of attackers entering the NAS box and other networks. In this way, you can set a strategic blocking point choke point to monitor malicious activities. An example of such deployment is to set up an inline Web application firewall (WAF) or Intrusion Prevention System (IPS) to protect downstream links (downstream link) such as links on the DMZ interface ).

From the Internet perspective, I will implement the appropriate inbound) Access Control List ACL) and try to restrict NAS. For example, using built-in firewall security restrictions can prevent traffic from untrusted interfaces, such as the Internet or DMZ, from flowing to trusted interfaces, such as the Intranet ). In addition, access to the network-oriented DMZ should be limited to the appropriate application ports, such as TCP port 80 and TCP port 443 ). Consider executing a strict outbound ACL to control the traffic from the Intranet to DMZ.

All other traditional servers strengthen rule applications, especially on DMZ swing. If you are mainly processing static content on nas, consider some types of file Integration monitoring systems. Tripwire provides a commercial product, AIDE Open Source Tool, which you can find in SourceForge.

  1. How to design a secure layer-4 DMZ Based on search results
  2. Choose single-firewall DMZ or dual-firewall DMZ

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.