Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best Security Method

I would appreciate any comments on this subject!

I have a somewhat general question. I have a customer who will be implementing a web site for the registration of park district users. It will provide information but will also take credit card info so that the users can sign up for various programs that the park district offers.

Now normally I would get a Pix 515 or bigger, create a DMZ and put the web server in it. But this web server will need to interact with a transaction server on the inside network (for the above mentioned info and credit cards). The application calls for quite a few ports to be opened between the DMZ and the Inside network. Obviously, I will need to lockdown the web server, but I'm just not comfortable with the amount of open ports, etc.

Is there a better way? I had considered Microsoft's method which is to put an ISA server in the DMZ which would VPN through the DMZ to inside interface (I would open the appropriate ports)and connect to another ISA server there. But if the web server is attacked and penetrated I now have a clear shot to my inside network.

Any thoughts?


Re: Best Security Method


Sounds to me like your planning on using the DMZ like it's suppose to be used. A malicious user first would have to attack the DMZ server through what ever ports it's allowed to get to. They would have to stage a second attack from the DMZ to the inside network. If you add aditional layers of security like IPS to inspect that traffic and Host IPS to watch the behavior of your applications you shouldn't have any problems.


New Member

Re: Best Security Method

Thanks for you response.

Others have been telling me to move to the ASA5500. I would like to try it but don't want to experiment on this customer. I suppose Cisco TAC could help.

I'm not sure how this technology really works just yet and have some more reading to do. That AIM module sounds interesting. Do you know any books out there that covers the ASA5500?