Tip

Web Server Isolation Domain

As the means of compromising Web servers continue to multiply, deploying a secure Web server is becoming increasingly difficult. No longer is the threat of attack, intrusion or denial of service limited to highly-trained well-educated rogue programmers and crackers; now just about anyone with a motive or a grudge can download easy-to-modify scripts or GUI interface tools and implement a campaign of destruction against any server on the Internet.

For small companies, this danger is usually not limited to their Web servers connected to the Internet but threatens their private networks as well. This double-jeopardy condition exists when the public Web server is connected to the same network as the private network and both share the same pipeline to the Internet. In such situations, if the Web server is compromised, it is very likely that information gleaned from that system can be used to infiltrate the rest of the network.

Fortunately, there is a design configuration that will allow a small company to employ a single Internet connection and maintain local control and access to their Web server but provide significantly more protection for the private network. This design is roughly known as using isolation domains. An isolation domain configuration consists of one domain for the private network and another distinct domain for the Web server. For now, let's label the first domain the private domain and the second domain the Web domain. The Web domain should include the Web server as well as any other servers needed to support the applications and services provided by the organization over the Web. The Web domain needs to be deployed in such a way so that if communications with the private domain are completely severed, it can continue to offer uninterrupted services to the Internet.

The Web domain should use leased IP addresses, but the private domain should use private IP addresses. A firewall and/or proxy should be deployed to grant the private domain clients access to Internet resources. This configuration isolates the activities of the Web domain from the private domain. If the Web domain is compromised, the private domain is uncompromised.

However, there is one more hurdle to address -- namely being able to administer the Web domain from a private domain client. This can be accomplished through several means. First, you could deploy a trust between the two domains. However, this opens up breach possibilities if the Web domain is compromised. Second, you could deploy a remote control software such as PCAnywhere or Tridia VNC. Third, you could deploy IPX as the only protocol on the private domain and as the communication protocol between the private domain and the Web domain. Then deploy an IPX-to-IP gateway, such as Proxy Server 2.0 or ISA Server. Such a configuration will enable the IPX clients to access Internet (IP) resources while completely eliminating the ability for any IP client from the Internet or a compromised Web domain system to gain access into the private domain.


James Michael Stewart is a researcher and writer for Lanwrights, Inc.


This was first published in September 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.