What are the Pros and Cons of web development in the DMZ?

Question : What are the Pros and Cons of web development in the DMZ?

We recently move our web development server (Sun Solaris)to the DMZ.  We use this server for all of our PUBLIC web development.  The server used to be behind the firewall and now it’s in the DMZ.

Are there any best practices for having your public development server in the DMZ?

What are the pros and cons of taking it from behind the firewall and placing it in the DMZ?


Solution: What are the Pros and Cons of web development in the DMZ?

Whether a web server should be in a DMZ or not depends, to some degree, on how you define a DMZ. To me, a DMZ is a network seqgment that is protected almost as well as the network behind a firewall. This can be done protecting the DMZ with a firewall, or by applying access lists on the border router. The firewall method is slightly better as firewalls normally include stateful inspection of the traffic. In either case only those ports related to services that the DMZ servers offer to the Internet (typically 25/tcp,   53/tcp, 53udp, 80tcp, 443/tcp and maybe the FTP ports) are allowed in-bound to the DMZ server(s).

Whether the server is in the DMZ or inside of a firewall it needs to be set up with good security practices in mind. This means religiously keeping the box up to date with respect to security updates, only enabling those services that are absolutely required, and limiting the number of user accounts to the minumum (and make sure that those have really good passwords). Good security practices also mandate not having any of the insecure protocols available (like telnet, rsh, rlogin, ftp, etc) that don’t use encrypted data streams. The need for those is eliminated by installing OpenSSH on the server. If FTP is required, it needs to be implemented via NcFTPD or ProFTP and that service configured to use usernames/passwords that aren’t Solaris accounts and upload/download dirs chrooted. Oh yes, you also need to be running tripwire on the server to detect unathorized changes to critcal utilities and data files and it’s not a bad idea to also set up a DMZ system to run an IDS (Snort or similar).

The advantage to having the web server in the DMZ is that a successful penetration of the web server doesn’t necessarily lead to a compromise of the systems behind the firewall. However, if good security practices aren’t followed, it’s possible for an attacker to gain access to the web server in the DMZ and then gain access to a system inside of the firewall. This presumes that the web server doesn’t need access to some other system, like a database server. If that’s required, the DB server (or any other system that the web server must open a connection to) also be located in the DMZ and secured in the same manner.

The disadvantages of locating a system in the DMZ are that it is harder to manage and monitor, and that the system(s) need to be completely standalone with their own backup devices & S/W.