If you connect web servers to a network, you need to consider the security implications of doing so. Every network that has an Internet connection is at risk of being compromised. There are several steps that you can take to secure your LAN (Local Area Network). The only real solution is to close your LAN to incoming traffic and restrict outgoing traffic.
However, some services such as web or FTP servers require incoming connections. If you require these services, you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed on a physically separate network known as a DMZ (or demilitarised zone if you prefer its proper name). Ideally, all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ, then you should acquire a dedicated machine and keep the backup solution separate from the LAN backup solution.
The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the Internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the Internet would be routed directly to your DMZ. Therefore, if attackers were to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The attackers would have little or no access to the LAN (Local Area Network). It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.
For the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need a remote management protocol such as terminal services, SSH, SCP, or RSYNC.
If your web servers require access to a database server, then you will need to consider where to place your database. The best solution is to create another physically separate network, called the secure zone, and to place the database server on it. The secure zone is connected directly to the firewall. The secure zone is by definition the most secure place on the network. The only access to or from the secure zone is the database connection from the DMZ and, if required, the LAN.
Exceptions to the rule
The dilemma faced by network engineers is where to put the email server. It requires SMTP connection to the Internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN. Therefore, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution.