Setup a very Basic DMZ for WordPress

Question

We are thinking of switching our corporate website from externally hosted and designed, to an internal WordPress server. This is so we can maintain direct control, as well as run our own traffic analysis.

Currently we utilize a Checkpoint firewall with fairly strict policies, and have no DMZ. How secure would it be to stand-up the WordPress server, and only allow HTTP,HTTPS protocols access to it from external sources? The server would be virtualized in the same cluster as the rest of our internal servers.

On another note, would this scenario even be considered a DMZ?

Answer 1

would this scenario even be considered a DMZ?

Yes. When exposing an internal service to the external world it's always a best practice to secure your others internal services by putting this public service in a DMZ. Basically, this DMZ will be a new network segment routed by a dedicated firewall interface.

In case of a single firewall, you will need three interfaces on your Firewall :

1. WAN
2. LAN
3. DMZ

Your WordPress server will be attached to the DMZ interface. For this you will have to create a new VLan on your network where you will place your server. The default gateway of this VLan should be the IP Address of the DMZ Interface of your firewall.

Let's say this VLan is 192.168.1.0/24, your DMZ Interface IP Address would be e.g 192.168.1.1 and your server IP would be e.g 192.168.1.10.

http://en.wikipedia.org/wiki/DMZ_%28computing%29#Single_firewall

You will need to extend this VLan to your virtualized infrastructure to be able to attach your server to this VLan.

Then, just use your Firewall to DNAT http/https traffic from public IP to your server.

This way you just allow traffic from WAN interface to DMZ interface, so that LAN cannot be compromised.