Best way to achieve this goal?
Posted: Mon Feb 15, 2016 2:55 pm
Hi all,
I would like your opinion on what im trying to achieve here and the best way to do it.
I have a web server amongst other servers sat on my ESXi box on a Dell R610.
I want to expose my web server to the outside world so I can access it without having to VPN in and access it locally. Its currently residing on my local network to which if I want access I VPN in from outside. Its running some internal stuff like nagios and other bits an pieces that are password protected but I also want to run a pubic page on it too. Keeping it on my local network and opening port 80 i know is clearly a bad idea. I did this once before years ago when I was still learning about networking. Long story short the web server got hacked....got into the rest of my network and cleared off a 2TB drive of data...luckily I had a backup!
I have thought of two ways of achieving this goal but not sure which would be the best way to implement and also considering security keeping the webserver separate from the rest of my network should it get compromised.
Option 1:
Using a DMZ
Option 2:
Create a new Vswitch in ESX and put it on a separate vlan from the rest of my network. Setup firewall rules within mikrotik so that traffic cant come from the web server into my local network but local network traffic can get into the web server to update the website.
Setup a port forward to port 80 to the web server on that vlan for external traffic.
-------------------------------------------
Which would be the best option to implement do you guys think?
Just to add to this in case it helps. I have 6 NIC ports on my ESX host. Currently two are serving my management interface, one for main one for fail over. Two are serving a vswitch for my guest VMs one for main one for failover.
The final two ports are currently not in use.
Thanks in advance for your help
Ross
I would like your opinion on what im trying to achieve here and the best way to do it.
I have a web server amongst other servers sat on my ESXi box on a Dell R610.
I want to expose my web server to the outside world so I can access it without having to VPN in and access it locally. Its currently residing on my local network to which if I want access I VPN in from outside. Its running some internal stuff like nagios and other bits an pieces that are password protected but I also want to run a pubic page on it too. Keeping it on my local network and opening port 80 i know is clearly a bad idea. I did this once before years ago when I was still learning about networking. Long story short the web server got hacked....got into the rest of my network and cleared off a 2TB drive of data...luckily I had a backup!
I have thought of two ways of achieving this goal but not sure which would be the best way to implement and also considering security keeping the webserver separate from the rest of my network should it get compromised.
Option 1:
Using a DMZ
Option 2:
Create a new Vswitch in ESX and put it on a separate vlan from the rest of my network. Setup firewall rules within mikrotik so that traffic cant come from the web server into my local network but local network traffic can get into the web server to update the website.
Setup a port forward to port 80 to the web server on that vlan for external traffic.
-------------------------------------------
Which would be the best option to implement do you guys think?
Just to add to this in case it helps. I have 6 NIC ports on my ESX host. Currently two are serving my management interface, one for main one for fail over. Two are serving a vswitch for my guest VMs one for main one for failover.
The final two ports are currently not in use.
Thanks in advance for your help
Ross