Using a Single-Firewall Configuration

  • Article

The least expensive option in a small site configuration is to have one firewall separate Internet browsers, your site, and your internal network. This is possible if the firewall contains three network adapters, each connected to one of the three environments.

One place you might want to use just one firewall is in your development environment. For a figure showing a single-firewall configuration, see Small Site Development Environment.

Advantages of the single-firewall solution include the following:

  • The network containing Web servers and database servers is separated physically from the other networks, thereby limiting intrusions into the site. If someone is able to exploit any server that is accessible publicly, they do not have direct access to the internal network.
  • There is only one firewall to purchase and manage.
  • The internal network (containing computers such as the staging server, Business Desk server, or development computers) is not dependent upon the Web site environment to function. If the site has network problems, the internal network does not necessarily lose connectivity.
  • This design is implemented easily in an existing architecture where a firewall is already serving to separate the internal network from the Internet. You might only need to add a third network adapter to the existing firewall.

Disadvantages of the single-firewall solution include the following:

  • The database servers are not separated from the Web servers. Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) are the only protocols allowed from the Internet to the Web site.
  • An intruder who gains access to a server in the ISP network might gain access to other servers on the site. Additional security is necessary to protect these servers.
  • Communication between Web servers and database servers travels unprotected within the ISP network.
  • Because Commerce Server Business Desk computers share network traffic with Web servers, you need to run HTTPS on the Business Desk computers to ensure the security of data.
  • Some firewall vendors might not support three interfaces.

See Also

Deploying Your Site

Deploying a Secure Site

Securing Your Site

Upgrading from Site Server 3.0

Migrating the Membership Directory

Copyright © 2005 Microsoft Corporation.
All rights reserved.