5 replies to this topic

[swearingencj]

Opening a port on my router and exposing the server to the internet seems frought with peril. How do you secure the webserver and segregate it from your internal network.

Are you guys using dual nics and a dmz? dual firewall type dmz? or is there a built in method for keeping the prying internet world from slogging around my internal network?

I am interested in running a Wordpress driven blogsite from the WHS 2011 box and am trying to think out the most secure way of separating the public and private parts of the server.

[swearingencj]

I know someone has an opinion....

Hopefully you guys have considered the gaping security hole that is created by opeining port 80/443 on your router?

[Shidoshi]

Opening port 80 or 443, by itself, should not open the rest of your network to the internet in an "Explorer" way, unless you have a port forwarding rule that also forwards ports 445 and 139 (for NetBIOS and SMB/CIFS), or your server is running web serving software that's horribly unpatched or has gaping vulnerabilities.

Any device making a request to your domain name over port 80 is only going to get the webpage, because the server will be listening and respond with the website as a reply. Now, if you somehow had your port forwading/port-range forwarding take an external request on port 80 to ports 139 or 445 internally, then that's a different story.

A DMZ would be a great way to segregate your server from the rest of your network, but then your router would have to have a routing entry to let your internal clients know how to reach your DMZ -- otherwise if you use a "home" DMZ setup like what Netgear or Belkin routers do with only a single IP address from your ISP, your server will be the only device able to connect to the Internet at all...

...which, paradoxically, is a pretty good idea, I guess; removing the rest of your network's access to the Internet is a pretty good way to "secure" it from the Internet.

[swearingencj]

Shidoshi, on 17 February 2012 - 09:29 AM, said:

Opening port 80 or 443, by itself, should not open the rest of your network to the internet in an "Explorer" way, unless you have a port forwarding rule that also forwards ports 445 and 139 (for NetBIOS and SMB/CIFS), or your server is running web serving software that's horribly unpatched or has gaping vulnerabilities.

Any device making a request to your domain name over port 80 is only going to get the webpage, because the server will be listening and respond with the website as a reply. Now, if you somehow had your port forwading/port-range forwarding take an external request on port 80 to ports 139 or 445 internally, then that's a different story.

A DMZ would be a great way to segregate your server from the rest of your network, but then your router would have to have a routing entry to let your internal clients know how to reach your DMZ -- otherwise if you use a "home" DMZ setup like what Netgear or Belkin routers do with only a single IP address from your ISP, your server will be the only device able to connect to the Internet at all...

...which, paradoxically, is a pretty good idea, I guess; removing the rest of your network's access to the Internet is a pretty good way to "secure" it from the Internet.

Agreed, I was wondering if it was possible with WHS2011 to add a second NIC to the server, assign a static IP and then restrict the webserver to that IP only. I know there are NAS devices that will do this. Then you could use a DMZ to contain that connection and increase your security.

[Shidoshi]

swearingencj, on 17 February 2012 - 01:36 PM, said:

Agreed, I was wondering if it was possible with WHS2011 to add a second NIC to the server, assign a static IP and then restrict the webserver to that IP only. I know there are NAS devices that will do this. Then you could use a DMZ to contain that connection and increase your security.

You can add a second NIC to your server and configure IIS to specify your website only use that second NIC, but here's where things get a bit tricky:

As I was saying before, with only one IP address given by your ISP, if you create a DMZ on most home routers, then the DMZ will be the only subnet receiving an IP address and will be the only device capable of reaching the Internet (and being reached from the internet), and without a routing table entry there'd be a pretty good chance your other internet network devices would not know how to find your server internally, either. If you pay for a second IP address from your ISP, then you could assign the second address to your DMZ, configure your second NIC to your DMZ and configure IIS to bind your websites to the DMZ IP address.

[swearingencj]

Thanks for that, totally makes sense. I think the only way I'd approach this would be the second IP address. Not sure it's worth the expense.

Thanks again.

By the way, I used a solution you posted about refreshing the dlna table on the server to get new media to show up on other devices. Worked great and now I'm looking to create a script to take care of that little microsoft oversight...