Solved

Server in DMZ

Posted on 2002-04-06
13
662 Views
Last Modified: 2010-04-11
Dear all,

We recently have requries from our users that they would like to put one SQL system in the DMZ area and allow public user to access by using port 80.

There is no problem with standard Firewall configure, however, I have an issue that the user wants to allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433. Will there is a security hole if I open the initial request from DMZ to "internal" with port 1433 ?

If there is an security issue, how can compay deal with B2B ? or B2C in live solution ?

Please advise

Let me summary
1) SQL server places in DMZ for public with port 80 only
2) Internal SQL needs to talk to the SQL server in DMZ with port 1433 --- I think ok for one way direction (from internal to DMZ)
3) If the SQL server in DMZ wants to start the initial request by using port 1433, (DMZ -- to internal with port 1433.)
is it allowed ?

Regards
Edmund
0
Comment
Question by:edmundli
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
This is an interesting problem.

First, the point of a DMZ is that you assume that machines in the DMZ can be compromised.

So, putting an SQL server in the DMZ is ok IFF
1.  Your company will not have significant liability if it is compromised (i.e, no financial data, credit cards, or health records)
2.  The SQL server does not make inbound connections to the internal database servers.  This is because the internal database servers undoubtably have the same vulnerabilities, so if the outer one is crackable, the inner ones are crackable too.

Otherwise, a common strategy is to do something like this

Internet--Firewall--web_server--Firewall--inner_net
                                   |
                           mid-tier_app_and_db_servers
0
 

Author Comment

by:edmundli
Comment Utility
Understand.

Sounds like we have only allow the initial communication starting from internal and not from internet.


According to your info,

Do you mean that you place the db servers with web servers and located in between internal -firewall and internet firewall.

I am bit confused .

Please explain,

How does the traffic flow in term of B2B or B2C solution ?
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Yeah, the diagram looks like it got redone for me by the software ;-)

Put the db servers between the web servers and the internal net.  Either by having three firewalls or by hanging them in a single-leg DMZ off the internal firewall.

Also the outer firewall might be a well-configured router.
0
 

Author Comment

by:edmundli
Comment Utility
I think DMZ will be used for this db servers, however those db servers need to communicate with internal db server by using port 1433.

Does it mean that all the request/ininital call must starting from internal .

internal db server -- send request to DMZ db server then start communicating

am I correct ?

0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
No.  The idea of three three tier design (web-dmz, apps-dmz, internal) is so that the systems in the apps-dmz can make calls to the internal net without the web-dmz being able to make calls directly to the internal net.
0
 
LVL 3

Expert Comment

by:trath
Comment Utility
My sugggestion is simply that you can expect that ANY type of server you stick in the DMZ will be compromised(hacked), that is except a firewall or security device.  There are other ways to allow access to servers on your local LAN, through specific ports addressing on your firewall(tunnelling). Experience tells me that NEVER allow any type of non secure server out on the DMZ, by doing this you are essintally trusting the user to not put any material of a confidential nature out there, which you can bet they will.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 3

Expert Comment

by:hardware123
Comment Utility
I think you can do it in 2 ways
1 is Chris has mentioned:
  Internet-----Firewall----DMZ----Firewall-----Intranet
                   |        |       |             |
               open port 80 |      open poty 1433 |
                            |                     |
                            |                     |
                   Web Server/SQL Server       SQL Server              
                       Applications Server        Others
the other way, use 3 interface in the firewall and make  a DMAZ instead of 2 firewalls:
      Internet-----------Firewall-------------Intranet
               |           |        |             |
         ext.interface    DMZ      int.interface  |
               |           |        |             |    
             open port 80  |       open port 1433 |
                           |                      |
                   Web Server/SQL Server       SQL Server
Also depends on which firewall you are using. If you are using a router with 2 interface only, 1st one is the choice. But if you use a more advanced one such as Checkpoint, Novell BorderManager or Nokia security Appliance, or MS Proxy Server and ISA Server, 2nd option is available
   
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Actually the problem is to create two DMZ's not a single DMZ, which is why I had two firewalls.  You could do this with only one firewall and have two DMZ's hang off of it (if your firewall supports at least four interfaces), but most places have a router at the head of their network anyway, and you might as well use this as the outer firewall, but don't really want more than two interfaces on it lest the ACL's become too difficult to work with.
0
 
LVL 3

Expert Comment

by:hardware123
Comment Utility
"allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433"

I think this statement only state he want 1 DMA only, the internal one is the internal network already.....

there are procs and cons between using 2 firewalls or 1 firewall with 3 or more Network Interface  to make DMZ, such as cost or security or reliability issues.
but anyway we can have many choices to do this :)
0
 
LVL 4

Accepted Solution

by:
anzen earned 80 total points
Comment Utility

>There is no problem with standard Firewall configure,
>however, I have an issue that the user wants to
>allow the DMZ SQL access have communication with
>the "internal" SQL server by using port 1433. Will
>there is a security hole if I open the initial request
>from DMZ to "internal" with port 1433 ?

Yes, if You assume that DMZ machine *could* be hacked, You must account that every connection You allow from a DMZ machine to the internal network is a potential security hole, the only way I see to achieve what You need is somewhat "reversing" the connection, that is the internal server will (in a timely fashion) connect to the DMZ server and exchange data as needed, this way the DMZ server won't have any glue about "penetrating" the firewall but You'll have the ability to manage the SQL data as needed

0
 

Author Comment

by:edmundli
Comment Utility
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of problem.

Thanks for everyone who share the idea, experience to me.


0
 

Author Comment

by:edmundli
Comment Utility
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.


0
 

Author Comment

by:edmundli
Comment Utility
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now