As the means of compromising Web servers continue to multiply, deploying a secure Web server is becoming increasingly difficult. No longer is the threat of attack, intrusion or denial of service limited to highly-trained well-educated rogue programmers and crackers; now just about anyone with a motive or a grudge can download easy-to-modify scripts or GUI interface tools and implement a campaign of destruction against any server on the Internet.
For small companies, this danger is usually not limited to their Web servers connected to the Internet but threatens their private networks as well. This double-jeopardy condition exists when the public Web server is connected to the same network as the private network and both share the same pipeline to the Internet. In such situations, if the Web server is compromised, it is very likely that information gleaned from that system can be used to infiltrate the rest of the network.
Fortunately, there is a design configuration that will allow a small company to employ a single Internet connection and maintain local control and access to their Web server but provide significantly more protection for the private network. This design is roughly known as using isolation domains. An isolation domain configuration consists of one domain for the private network and another distinct domain for the Web server. For now, let's label the first domain the private domain and the second domain the Web domain. The Web domain should include the Web server as well as any other servers needed to support the applications and services provided by the organization over the Web. The Web domain needs to be deployed in such a way so that if communications with the private domain are completely severed, it can continue to offer uninterrupted services to the Internet.
The Web domain should use leased IP addresses, but the private domain should use private IP addresses. A firewall and/or proxy should be deployed to grant the private domain clients access to Internet resources. This configuration isolates the activities of the Web domain from the private domain. If the Web domain is compromised, the private domain is uncompromised.
However, there is one more hurdle to address -- namely being able to administer the Web domain from a private domain client. This can be accomplished through several means. First, you could deploy a trust between the two domains. However, this opens up breach possibilities if the Web domain is compromised. Second, you could deploy a remote control software such as PCAnywhere or Tridia VNC. Third, you could deploy IPX as the only protocol on the private domain and as the communication protocol between the private domain and the Web domain. Then deploy an IPX-to-IP gateway, such as Proxy Server 2.0 or ISA Server. Such a configuration will enable the IPX clients to access Internet (IP) resources while completely eliminating the ability for any IP client from the Internet or a compromised Web domain system to gain access into the private domain.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in September 2002