Why should my web server be on a seperate network? (Azure)

Question

Just to start, I fully understand that a webserver should be on a seperate network, in the DMZ, not connected to the domain (or at least in a different forest). However, Im website developer and making this argument to networking.

I have made the argument that if someone was to gain control of the Web server, you wouldn't want a trust relationship to exists between said server and the DC. But I don't fully understand how to validate that this trust relationship would cause a problem.

In other words, how would one go about hacking an enterprise network by gaining access to an on-network web server and how do these principles change when talking about an azure VNET with a site to site VPN to the local network.

Answer 1

Based on my knowledge, web server on a separate Vnet or a subnet is a more secure solution.Please refer to the screenshot below:

Web Server is on the front end of the network.directly interfacing communication from the Internet. The incoming packets should flow through the security appliances, such as the firewall, IDS, and IPS, before reaching the back-end servers. Internet-bound packets from the workloads can also flow through the security appliances in the perimeter network for policy enforcement, inspection, and auditing purposes, before leaving the network. Additionally, the perimeter network can host cross-premises VPN gateways between customer virtual networks and on-premises networks.

More information please refer to this article.

Answer 2

Designing your applications to be secure does not change dramatically if you are deploying to a Cloud IaaS platform or an On-premise platform. The concepts are the same though there are minor differences. A 2-tier or 3-tier Web Application deployment conceives that each tier is part of a security-domain. The root cause is t limit the impact of compromising one to propagate to the other tiers. Usually to frontal part is deployed within a DMZ zone. The frontal tier is directly exposed to the users (public), so more vulnerable but on the meanwhile, no supposed to contain sensitive data or data permitting the access to the other tiers (encrypted data, no privileged access accounts, maybe a different domain). If the intruder gains access to the frontal tier, then, if the other tiers are deployed on different security zones with limited authorized flows, it will be more difficult to this intruder to easily gain access to them, and thus you can discover the breach before it's too late. Even if on Azure, you can apply an NSG to each VM so that it can be similar of when it's under another network, maximizing the security is a god practice. In addition, it's logically easier to hack something within the same VNET or Subnet than on another Subnet. Finally, you don't need to have another VNET : A Different subnet is enough to achieve the same security level, and to simplify the platform.