Web Servers and Firewall Zones
On the off chance that you have, or are intending to have web servers associated with your system, you should think about the security suggestion
Web and FTP Servers
Each system that has a web association is in danger of being imperiled. While there are a few stages that you can take to anchor your LAN, the main genuine arrangement is to close your LAN to approaching movement, and limit active movement.
Anyway a few administrations, for example, web or FTP servers require approaching associations. On the off chance that you require these administrations you should consider whether it is basic that these servers are a piece of the LAN, or whether they can be put in a physically independent system known as a DMZ (or neutral ground in the event that you favor its legitimate name). In a perfect world all servers in the DMZ will be remain solitary servers, with exceptional logons and passwords for every server. On the off chance that you require a reinforcement server for machines inside the DMZ then you ought to secure a devoted machine and keep the reinforcement arrangement separate from the LAN reinforcement arrangement.
The DMZ will come straightforwardly off the firewall, which implies that there are two courses all through the DMZ, activity to and from the web, and movement to and from the LAN. Movement between the DMZ and your LAN would be dealt with absolutely independently to activity between your DMZ and the Web. Approaching movement from the web would be steered straightforwardly to your DMZ.
In this way if any programmer where to trade off a machine inside the DMZ, at that point the main system they would approach would be the DMZ. The programmer would have practically zero access to the LAN. It would likewise be the situation that any infection contamination or other security trade off inside the LAN would not have the capacity to move to the DMZ.
All together for the DMZ to be successful, you should keep the activity between the LAN and the DMZ to a base. In the lion’s share of cases, the main activity required between the LAN and the DMZ is FTP. In the event that you don’t have physical access to the servers, you will likewise require a type of remote administration convention, for example, terminal administrations or VNC.
In the event that your web servers expect access to a database server, at that point you should think about where to put your database. The most secure place to find a database server is to make amazingly, one more physically separate system called the safe zone, and to put the database server there.
The Safe zone is additionally a physically independent system associated straightforwardly to the firewall. The Safe zone is by definition the most secure place on the system. The main access to or from the protected zone would be the database association from the DMZ (and LAN whenever required).
Special cases to the run the show
The quandary looked by system engineers is the place to put the email server. It requires SMTP association with the web, yet it additionally requires space access from the LAN. On the off chance that you where to put this server in the DMZ, the space activity would trade off the respectability of the DMZ, making it basically an augmentation of the LAN. Subsequently as we would like to think, the main place you can put an email server is on the LAN and permit SMTP activity into this server. Anyway we would prescribe against permitting any type of HTTP access into this server. On the off chance that your clients expect access to their mail from outside the system, it would be undeniably secure to take a gander at some type of VPN arrangement. (with the firewall taking care of the VPN associations. LAN based VPN servers permit the VPN movement onto the system before it is validated, or, in other words good thing.)