Help with security design documentation

Discussion in 'Security Software' started by CajunTank, Mar 8, 2006.

  1. CajunTank

    CajunTank Guest

    Hello all, I have a small network consisting of two Windows 2003 servers. One
    is a DC and houses my accounting application. The other is a web-server
    (member server) I have on it's own DMZ (Cisco 871 router). I have the
    traditional rules defined for access from private to dmz, dmz to private, dmz
    to public, and public to dmz (the two servers talk to each other via IPSEC
    excrypted tunnel...application used windows' authentication instead of
    opening a tcp port or two). The problem is performance of the application of
    the web-server accessing data from the main accounting server (again the only
    DC). It works, it's just slow. The application provider want to move the
    web-server and web application over to the private dc server. I have
    discussed with a CISSIP that tells me that that's a no no. I am needing hard
    facts ie... Microsoft or other official documentation stating reasons why.
    Your assistance is appreciated.
    Thanks.
     
    CajunTank, Mar 8, 2006
    #1
    1. Advertisements

  2. If you believe that having a three networks (DMZ, public, private) reduces
    your security risk, then it's obviously silly to say "we have a private network
    that we run a public server on, and a DMZ with nothing on it, and a public
    network to talk to the empty DMZ". If you have bothered to classify your
    networks, than obviously, you should classify the applications for the appropriate
    networks as well.

    Personally, I think that in most small business and home-office networks,
    one problerly configureed firewall/router is more effective than three separate
    networks anyhow; but that's just me.

    Your app has a performance issue. Unless you have have hundreds of thousands
    of hits per day, IPSec is not the problem.

    Personally, I wouldn't run an application (let alone a publicly accessible
    web app) on a Domain Controller; but that's just me.

    Byron Hynes
    Windows Server
    Microsoft Corporation

    http://spaces.msn.com/members/byronphynes
     
    Byron Hynes [MS], Mar 10, 2006
    #2
    1. Advertisements

  3. CajunTank

    CajunTank Guest

    ??? Not sure if you are quoting me with "we have a private network
    that we run a public server on, and a DMZ with nothing on it, and a public
    network to talk to the empty DMZ". I did not state that anywhere in my
    scenario.
    In further investigation, my IPSEC traffic is at about 21Mb/s connectivity
    between my two servers. I am connected 100Mb/s full duplex at the webserver
    to the Cisco871 and it in turn is connected 100Mb/s full duplex to a Linksys
    managed 10/100 switch with 1000Mb/s port for DC server connectivity. I am
    getting a 3COM 10/100 secure NIC that is supposed to take the load off of my
    PIII for the IPSEC load to help speed that 21Mb/s up. But my main question
    still applies of needing some documentation on why setting up the webserver
     
    CajunTank, Mar 10, 2006
    #3
  4. Perhaps I should have written it as "it would be silly for one to say 'we
    have...' " as I was not meaning to attribute a quote to you.

    Is a DMZ more secure? That depends on the risks you (or your organization)
    face. Google for Steve Riley's "Death of the DMZ" sessions/articles for one
    example of the opinion that DMZs are overratted.

    Might I suggest that if you have a production app that is having a sustained
    load of 21Mb/sec that it might be time to invest in something newer than
    a PII processor?

    As far as "documentation" goes, you could look at:
    Protect your Windows Network by Riley and Johannson
    The Windows Security Resource Kit by Smith, Komar, et al
    Assessing Network Security by Smith
    Firewalls for Dummies (2nd Ed) by Komar, Beekelar and Wettern

    I am sure there are also many consultants that would be happy to do a threat
    analysis for you; but in the end, it has to be you (your firm) that can explain
    why you make the security tradeoffs that you make.

    Byron Hynes
    Windows Server
    Microsoft Corporation

    http://spaces.msn.com/members/byronphynes
     
    Byron Hynes [MS], Mar 11, 2006
    #4
  5. I should not do newsgroups late at night. I meant "overrated" (not "ratted",
    or is that freudian?) and I meant PIII not PII. Sorry about the typos.

    Byron Hynes
    Windows Server
    Microsoft Corporation

    http://spaces.msn.com/members/byronphynes
     
    Byron Hynes [MS], Mar 11, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.