Webserver on office network

defib

Hi guys

Hope someone can help.

I want to host afew of our company sites on our own server in the office. We have a ever fast connection to the net which is unlimited and a fixed IP.

Can this be done?

seamus

Yes it can.

But if you don't have someone who knows their networking stuff, then just setting up an internet server on your office network could seriously compromise your security.

Basically, you should set up a network entirely separated from, and blocked from accessing, your internal office network. Then you need to correctly configure your external firewall to correctly vet and route web traffic (and only web traffic) to your Web Server. Regardless of what OS you use for the server, it needs to be heavily locked down and fully patched.

To be perfectly honest, for the amount of time it costs to set up, and the amount of risk it presents to the business, you're better off paying for a cheap web hosting package.

plenderj

defib wrote:

Hi guys

Hope someone can help.

I want to host afew of our company sites on our own server in the office. We have a ever fast connection to the net which is unlimited and a fixed IP.

Can this be done?

Will you be using NAT? If so, you need to setup port forwarding on port 80 (i.e. the HTTP port) on your router to point at your webserver. Otherwise, if using routing, route all packets to the webserver.

It's probably safest to use NAT. Once you've done that, you'd need to configure your HTTP Server. I recommend using Microsoft's IIS Server.

How far have you progressed on this idea...?

JohnnieM

Seamus is right on the money

plenderj

Setting up a separate network means the webserver needs to be dual homed though - well - it doesn't have to be, but it'd make things a lot easier.

defib

plenderj wrote:

How far have you progressed on this idea...?

LMAO, just this post. :rolleyes:

seamus

plenderj wrote:

Setting up a separate network means the webserver needs to be dual homed though - well - it doesn't have to be, but it'd make things a lot easier.

Not really. It doesn't have to be a physically separate network.

plenderj

Okay so separate by IP subnets?

seamus

http://en.wikipedia.org/wiki/Demilitarized_zone_%28computing%29

plenderj

I am aware of the concept of a DMZ

Not all routers have DMZ functionality though

Cake Fiend

One poster on this thread who is giving advice doesn't seem to have a clue about security.

Here's a hint: it's not Seamus.

OP, unless you have dedicated IT staff (in both senses of the word), I'd +1 Seamus's suggestion of getting cheap hosting sorted out for several reasons. Even if someone does go to the trouble of setting up a secure web server (hint number 2: not IIS) and firewall configuration, unless it's getting checked regularly, it could be a liability down the line.

seamus

plenderj wrote:

I am aware of the concept of a DMZ

Not all routers have DMZ functionality though

No, they don't. Which is why he should probably go for a managed hosting solution. Trying to secure an office network, and setting up a DMZ with an out-of-the-box Cable/DSL solution would be a big mistake.

plenderj

Sico wrote:

One poster on this thread who is giving advice doesn't seem to have a clue about security.

Here's a hint: it's not Seamus.

OP, unless you have dedicated IT staff (in both senses of the word), I'd +1 Seamus's suggestion of getting cheap hosting sorted out for several reasons. Even if someone does go to the trouble of setting up a secure web server (hint number 2: not IIS) and firewall configuration, unless it's getting checked regularly, it could be a liability down the line.

Tell me, what is the problem with the following:
Bog-standard DSL router, NAT enabled, port forwarding on port 80 to a webserver running Server 2003 w/IIS with automatic updates turned on?

Cake Fiend

1. No seperation of world-accessable host from the internal network. If that host gets owned, your network is owned.
   
2. This office most likely does not have technical staff with the expertise and security knowledge of a professional hosting company. Even if the server was set up well in the first place, I doubt it would be audited regularly enough to be certain that it was still secure.
   
3. The time and money (in terms of technical staff wages) to set this up properly and have continuous maintenence (plus education on current security threats etc) would probably not be much less than a cheap hosting plan.
   
4. Do I really need to go through IIS' vulnerability history?
   

plenderj

1) Important word being if, which I can only see happening through a vulnerability in a web application. Even a firewall cannot stop a SQL Inject Attack

2) True, left in-place for years on end it would probably end up vulnerable

3) Apache hasn't had a perfect record either. IIS6 is nearly a different product compared to IIS5, and Windows Server 2003 is bolted down from the get-go.

[edit]
As a site note, I'm not honestly suggesting he hosts the website himself - I can honestly say I think that would be a disaster in the making. I'm merely playing devil's advocate on the security issue
[/edit]

Cake Fiend

1) If your business holds sensitive information, e.g. credit card details, that's a pretty big IF. And if you ask me, under those circumstances it's not an if, it's a when. Do you think it's uncommon for web servers to be rooted?

2) A new vulnerability could be discovered an hour after you finished the installation. On a Windows system, that probably wouldn't be patched for a few weeks. Plenty of time to install a rootkit.

3) If 'not perfect' was the worst thing you could say about IIS, the world would be a better place. And it's funny that you mention that 2003 is 'bolted down' from the get-go, seeing as IIRC it was vulnerable to the RPC DCOM exploit from a couple years back right out of the box. No system can be called 100% perfect, but an effort should certainly be made to be as close to it as possible IMO.

defib

OK, so I see this looks like a bad idea.

Then how about this.

In the office we have four computers and a lan plus wifi link for laptops.

The real pain is the one computer has most of what needed.

Would a office server work here?

Any help would be great?

osmethod

Can you be more specific with your intentions?

Do you just want to host the websites so that users within the company only have to see/use them? If so, IIS as mentioned is good enough.

If you want to host the websites so anyone/everyone on the internet can access them you'd want to think seriously about that i.e. thats what ISP's specialise at...

If you have specific remote users that you want to give access to then thats another way of doing things!

osmethod

FSL

If it is just internal users who need access to the web pages then provided they are on a share to which they have access then you do not necessarily need a web server. They can be accessed via any browser using File://[server name]/[share name]/[full path to file]. The file they point to can be an index with links to all the individual sites, all of which reside on a share. No access to the internet is required.