U.S. CitiesCity-Data Forum Index
Go Back   City-Data Forum > General Forums > Science and Technology > Computers
 [Register]
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
View detailed profile (Advanced) or search
site with Google Custom Search

Search Forums  (Advanced)
 
Old 07-26-2011, 06:05 PM
 
11,715 posts, read 36,345,192 times
Reputation: 7514

Advertisements

The office has two Windows 2008 Servers. They are both domain controllers, DNS, DHCP, file/print servers and one hosts an in-house accounting system. Everything is behind a NAT router connected to the Internet via dual bonded T-1's.

The pubic web site which has a shopping cart is hosted off-site. Currently, web orders must be hand entered into the accounting system as if they were phone orders. They'd like to automate the process so the shopping cart can enter orders directly into the system.

It has been suggested that the web site be brought in-house and run in a Hyper-V instance on one of the servers. Windows 2008 Web Server Edition with IIS and MySQL would be installed in the VM. The connection between the web server with the shopping cart and the accounting system would then be safely behind the NAT router.

The alternative, which the web guys have suggested would be more complex and less secure, would be to the leave the web server hosted off-site and have it communicate with a secondary web server in a VM which would then in turn communicate with the accounting system. Only the public web server would need access to this secondary web server so access could be restricted by IP address.

I know running any public server requires constant attention to security. I also know that running a public server on a domain controller is a bad idea, but does running it in a VM mitigate this? Its still the same physical box, sharing the same physical Ethernet interface, so is there a greater risk to the network by having it in a VM rather than on a separate box on the LAN?

I don't believe the web site sees a ton of traffic which is why they suggested running it in a VM. But of course, should that server ever go down (or even simply need a reboot), the site is down until it gets fixed. But my big concern is over security. I've read checklists for security IIS, know about IIS Lockdown Tool, and of course the basics like keeping the OS and apps patched. But what else can be done to keep it secure, should they take the server in-house? Are there 3rd party tools that can be installed on the server that help protect the server?
Reply With Quote Quick reply to this message

 
Old 07-26-2011, 06:53 PM
 
Location: Silicon Valley
3,685 posts, read 8,499,173 times
Reputation: 2978
Quote:
Originally Posted by EscapeCalifornia View Post
I know running any public server requires constant attention to security. I also know that running a public server on a domain controller is a bad idea, but does running it in a VM mitigate this? Its still the same physical box, sharing the same physical Ethernet interface, so is there a greater risk to the network by having it in a VM rather than on a separate box on the LAN?
This is based on gut feel, rather than actual knowledge and/or experience, so take it with a large grain of salt. This is not my field of expertise, nor what I do for a living. Also, this is only applicable to VMWare, not Hyper-V.

My gut feel is that is is easier to secure the VM. The reason I say this is that to secure the physical machine you have to run the agent on the machine itself, leaving it vulnerable to whatever it is you're trying to protect yourself against. With the VM, the agent can actually run on system that is hosting the VM, not within the VM itself, so it is less vulnerable, and therefore, more secure. I'm thinking about the products from McAfee and Trend Micro that use the VMSafe APIs to probe and monitor the VM from the outside.
Reply With Quote Quick reply to this message
 
Old 07-26-2011, 10:54 PM
 
Location: HoCo, MD
4,596 posts, read 8,201,672 times
Reputation: 5160
Regardless if you're running a VM or physical box. You should keep your external services segregated from your internal systems (i.e. in a DMZ). Unsecured inbound requests should never be allowed to touch internal systems, they should always communicate with a relay in the DMZ (be it mail, www, remote access etc).

With that - you would never run a service that is directly accessible from the outside on a DC. As for running it in a VM on the DC... you referring to products like VMware Server/workstation? They should not be used for production systems - these are normally for test/development environments as you're dependent on the host OS to manage the resources.... Production systems should really be run on dedicated hypervisors (ie. ESX). I don't know enough about MS's Hyper-V product to comment on them.. but I'm assuming they have parallel solutions to VMware's.

If you run two VMs on one box (one being the DC and the other being the WWW), I know in VMWare you can still segregate them using VLANs on a virtual switch - and you'd simply make sure they are on the appropriate VLANS (DMZ vs. production). Although my first inclination would be to actually run them on separate boxes (i.e. a physical box in the DMZ for outbound service VMs and one internally for internal services) - but I don't know your budget limits....

Also - you mentioned a router running NAT.... you have a firewall protecting your network or you just using ACLs on the router?

In terms of other security mechanisms... You probably should do a risk assessment to understand that threats/vulnerabilities you're facing so you can adequately address them.

Last edited by macroy; 07-26-2011 at 11:23 PM..
Reply With Quote Quick reply to this message
 
Old 07-27-2011, 05:58 PM
 
13,072 posts, read 11,579,462 times
Reputation: 2608
This is generic MS practice (more relative to SQL server setups) and while it isn't everything, it should cover some of your questions concerning security practice in design, implementation, and maintenance of many types of setups.

Security Best Practices Checklist

You can find most of this info in the MCSE/MCITP books as well and specifically related to many questions you might have.

Last edited by Nomander; 07-27-2011 at 06:07 PM..
Reply With Quote Quick reply to this message
 
Old 07-27-2011, 06:13 PM
 
13,072 posts, read 11,579,462 times
Reputation: 2608
Quote:
Originally Posted by macroy View Post
In terms of other security mechanisms... You probably should do a risk assessment to understand that threats/vulnerabilities you're facing so you can adequately address them.
That is the best approach off the start as the results of such may allow him to gain a bit more funds to cover a more secure setup.
Reply With Quote Quick reply to this message
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.

Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.


Reply
Please update this thread with any new information or opinions. This open thread is still read by thousands of people, so we encourage all additional points of view.

Quick Reply
Message:

Over $104,000 in prizes was already given out to active posters on our forum and additional giveaways are planned!

Go Back   City-Data Forum > General Forums > Science and Technology > Computers
Similar Threads
Follow City-Data.com founder on our Forum or

All times are GMT -6. The time now is 08:27 AM.

© 2005-2019, Advameg, Inc. · Please obey Forum Rules · Terms of Use and Privacy Policy · Bug Bounty

City-Data.com - Archive 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35 - Top