I had a question regarding securing our webservers that use IIS. We have 2 options in play. Which one is a better solution to secure IIS from the IIS vulnerabilities and etc...? I know both have advantages and disadvantages.
Here's the setup, a Cisco PIX firewall and an F5 connected to the DMZ in the PIX. The F5 has 2 VLANS:1.1 and 1.2. VLAN 1.1 has an public IP (example: 22.214.171.124) and VLAN 1.2 has (192.168.0.1)
1) place the IIS server in the internal network (10.0.0.0) and have the F5 communicate to it to retreive the pages for Internet users. The Internet users will see a public IP address but obviously the F5 will translate that to the internal IP address in the 10.0.0.0 network. Also, the server needs to communicate to a database on the internal network.
2) place the IIS server in the F5 VLAN 1.2 network (192.168.0.0) and have F5 communicate to it that way. The server then needs to communicate to the internal network (10.0.0.0) to access a database. Obviously we need to create open ports on the PIX at that point.
Hopefully i made sense.