Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2414
Views
30
Helpful
8
Replies

Setting up DMZ zone

Go to solution
LovejitSingh1313
Level 1
Level 1

‎11-30-2020 08:47 AM

Hello @balaji.bandi  @Aref Alsouqi  @Marius Gunnerud  @Rob Ingram @Nithin Eluvathingal @Richard Burts @Marvin Rhoads 

 

I have one Web server(VM1) which is uses other server as a database server (VM2) and use 3rd server as application server(VM3). Only Web server needs access from internet on port 443. I want to move VM1-web server to DMZ and then open port 443 LAN access to it so that internal users can also connect to it.
I am bit confused between following things :
1. Should I moved all three servers to DMZ or just move VM1 to DMZ and then setup granular access from DMZ to VM2 and VM3 ?
2. which ASA features I should have enabled to make sure DMZ is inspected at highest level? like IPS, AV scan etc.
3. What other things I should consider setting up DMZ?

I am already considering a GoDaddy Certificate for encrypted sessions, what else should i keep in mind?

Thanks,

0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎11-30-2020 08:54 AM - edited ‎11-30-2020 08:55 AM

Hi @LovejitSingh1313 

Move only the Webserver to the DMZ and permit inbound tcp/443 from the internet. Permit traffic from the webserver in the DMZ to the application and database servers, ensure you permit only the required ports.

 

Use an FTD instead of ASA if you want to use IPS features.

 

You could also consider a host based firewall on the webserver in the DMZ.

 

Restrict outbound access from the DMZ server to the internet.

 

HTH

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-30-2020 09:53 AM

Only exposed Web Server will be in DMZ, rest Applicaiton and DB should be internal

 

you can deploy 2 Leg deployment to single leg deploy in DMZ depends on the business.

 

FQDN should be always CA Certified with Godaddy is good idea. internall you can configure your own DNS with internal IP address.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Rob Ingram

‎12-01-2020 11:06 PM

I agree with the suggestions that you should put only the single server which needs to be accessible from the Internet into the DMZ. You should only expose the resource which needs to be accessible. I would suggest that for this server to be accessible from outside that you will need either a static NAT to a dedicated Public IP or will need port forwarding to send Internet originated traffic to the server.

HTH

Rick

View solution in original post

Go to solution
Rob Ingram
VIP
VIP

‎12-02-2020 06:39 AM - edited ‎12-02-2020 06:40 AM

If the server you are placing in the DMZ remains connected to the domain, it will require a lot of ports open from the DMZ to the LAN where the Domain Controllers (DC) are located, exposing the DCs to the DMZ, this would be unwise.

 

Ideally the DMZ server would not be joined to the domain and you are only permitting the ports to the inside network to the application servers required for the application to work.

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎11-30-2020 08:54 AM - edited ‎11-30-2020 08:55 AM

Hi @LovejitSingh1313 

Move only the Webserver to the DMZ and permit inbound tcp/443 from the internet. Permit traffic from the webserver in the DMZ to the application and database servers, ensure you permit only the required ports.

 

Use an FTD instead of ASA if you want to use IPS features.

 

You could also consider a host based firewall on the webserver in the DMZ.

 

Restrict outbound access from the DMZ server to the internet.

 

HTH

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-30-2020 09:53 AM

Only exposed Web Server will be in DMZ, rest Applicaiton and DB should be internal

 

you can deploy 2 Leg deployment to single leg deploy in DMZ depends on the business.

 

FQDN should be always CA Certified with Godaddy is good idea. internall you can configure your own DNS with internal IP address.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
LovejitSingh1313
Level 1
Level 1
In response to balaji.bandi

‎11-30-2020 11:06 AM

Hello @balaji.bandi , 

 

what does 2 leg deployment and single leg deployment means ?

 

Hello @Rob Ingram ,

 

What does host based firewall does which gateway firewalls do not capable of ?

 

Thanks,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎11-30-2020 11:16 AM

A "leg" is basically referring to an interface of the firewall, where an interface relates to a zone - such as inside, outside and dmz.

 

A hosted based firewall will restrict inbound and outbound connections to/from the webserver itself. This could be useful to prevent lateral movement in the DMZ vlan (assuming you had multiple servers in the same DMZ vlan). This L2 traffic would not be sent via the firewall, so a hosted based firewall could be useful in this scenario.

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Rob Ingram

‎12-01-2020 11:06 PM

I agree with the suggestions that you should put only the single server which needs to be accessible from the Internet into the DMZ. You should only expose the resource which needs to be accessible. I would suggest that for this server to be accessible from outside that you will need either a static NAT to a dedicated Public IP or will need port forwarding to send Internet originated traffic to the server.

HTH

Rick

Go to solution
LovejitSingh1313
Level 1
Level 1

‎12-02-2020 06:35 AM

Hello @Richard Burts  @Rob Ingram  @balaji.bandi 

 

Thanks for feedback.

All three servers are AD Domain joined, as Web server is moving to DMZ zone which is restricted to Domain Controllers. Should I remove it from Domain ? 

 

What's the best Practice in this case ?

 

Thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to LovejitSingh1313

‎12-02-2020 07:38 AM - edited ‎12-02-2020 07:38 AM

DMZ server joining AD is common practice for people to Login to maintain, So you have dual leg or single leg deployment,

 

So you only control with FW policy to communicated only Limited Service required on direction or bi-direction policy based on the requirement.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎12-02-2020 06:39 AM - edited ‎12-02-2020 06:40 AM

If the server you are placing in the DMZ remains connected to the domain, it will require a lot of ports open from the DMZ to the LAN where the Domain Controllers (DC) are located, exposing the DCs to the DMZ, this would be unwise.

 

Ideally the DMZ server would not be joined to the domain and you are only permitting the ports to the inside network to the application servers required for the application to work.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card