Web server being accessed internally and externally
Hey Meraki Community,
We have a Meraki MX67 and behind it is a new IIS web server going up. The vendor isn't using an SSL certificate and has asked us to make this available via port 80. Because the web server has to be accessed externally AND from within the office it is on the private VLAN to allow communication.
What is the best way to secure this from a networking/Meraki standpoint?
Yes, we are 100% meraki across the board, including switches. Good idea on Layer 3 rules. The switches are only layer 2.
So you are saying, use Layer 3 firewall rules to limit it as much as possible to only what it needs? My main concern is a threat coming in where a malicious attacker gains access into the network through the web server and finds a way to hop over to another system. Is that a silly concern?
Not a silly concern at all. Only way around blocking users who’ve exploited the server from moving sideways around your network is to physically segregate it all. Which I’m assuming the budget won’t allow?
Darren OConnor | firstname.lastname@example.org https://www.linkedin.com/in/darrenoconnor/
I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
IMO, a DMZ is always needed when a system is accessed from the internet. Based on the customer requirements I sometimes place the Webserver into the DMZ. More often, a reverse-proxy is placed in a DMZ and that system sends the requests to the server on the local LAN. I do this if the customer wants to have the server in his internal network for whatever reasons.
For the really security-aware customers (well, most of them are not) both the reverse-proxy and the server is placed in separate DMZs.
For the reverse-proxy, I personally like to use a Linux-box with NGINX. But that is only a personal preference.
EDIT: I would also place the Webserver and the Database in different DMZs.