Server in DMZ

Dear all,

We recently have requries from our users that they would like to put one SQL system in the DMZ area and allow public user to access by using port 80.

There is no problem with standard Firewall configure, however, I have an issue that the user wants to allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433. Will there is a security hole if I open the initial request from DMZ to "internal" with port 1433 ?

If there is an security issue, how can compay deal with B2B ? or B2C in live solution ?

Please advise

Let me summary
1) SQL server places in DMZ for public with port 80 only
2) Internal SQL needs to talk to the SQL server in DMZ with port 1433 --- I think ok for one way direction (from internal to DMZ)
3) If the SQL server in DMZ wants to start the initial request by using port 1433, (DMZ -- to internal with port 1433.)
is it allowed ?

Regards
Edmund
edmundliAsked:
Who is Participating?
 
anzenCommented:

>There is no problem with standard Firewall configure,
>however, I have an issue that the user wants to
>allow the DMZ SQL access have communication with
>the "internal" SQL server by using port 1433. Will
>there is a security hole if I open the initial request
>from DMZ to "internal" with port 1433 ?

Yes, if You assume that DMZ machine *could* be hacked, You must account that every connection You allow from a DMZ machine to the internal network is a potential security hole, the only way I see to achieve what You need is somewhat "reversing" the connection, that is the internal server will (in a timely fashion) connect to the DMZ server and exchange data as needed, this way the DMZ server won't have any glue about "penetrating" the firewall but You'll have the ability to manage the SQL data as needed

0
 
chris_calabreseCommented:
This is an interesting problem.

First, the point of a DMZ is that you assume that machines in the DMZ can be compromised.

So, putting an SQL server in the DMZ is ok IFF
1.  Your company will not have significant liability if it is compromised (i.e, no financial data, credit cards, or health records)
2.  The SQL server does not make inbound connections to the internal database servers.  This is because the internal database servers undoubtably have the same vulnerabilities, so if the outer one is crackable, the inner ones are crackable too.

Otherwise, a common strategy is to do something like this

Internet--Firewall--web_server--Firewall--inner_net
                                   |
                           mid-tier_app_and_db_servers
0
 
edmundliAuthor Commented:
Understand.

Sounds like we have only allow the initial communication starting from internal and not from internet.


According to your info,

Do you mean that you place the db servers with web servers and located in between internal -firewall and internet firewall.

I am bit confused .

Please explain,

How does the traffic flow in term of B2B or B2C solution ?
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
chris_calabreseCommented:
Yeah, the diagram looks like it got redone for me by the software ;-)

Put the db servers between the web servers and the internal net.  Either by having three firewalls or by hanging them in a single-leg DMZ off the internal firewall.

Also the outer firewall might be a well-configured router.
0
 
edmundliAuthor Commented:
I think DMZ will be used for this db servers, however those db servers need to communicate with internal db server by using port 1433.

Does it mean that all the request/ininital call must starting from internal .

internal db server -- send request to DMZ db server then start communicating

am I correct ?

0
 
chris_calabreseCommented:
No.  The idea of three three tier design (web-dmz, apps-dmz, internal) is so that the systems in the apps-dmz can make calls to the internal net without the web-dmz being able to make calls directly to the internal net.
0
 
trathCommented:
My sugggestion is simply that you can expect that ANY type of server you stick in the DMZ will be compromised(hacked), that is except a firewall or security device.  There are other ways to allow access to servers on your local LAN, through specific ports addressing on your firewall(tunnelling). Experience tells me that NEVER allow any type of non secure server out on the DMZ, by doing this you are essintally trusting the user to not put any material of a confidential nature out there, which you can bet they will.
0
 
hardware123Commented:
I think you can do it in 2 ways
1 is Chris has mentioned:
  Internet-----Firewall----DMZ----Firewall-----Intranet
                   |        |       |             |
               open port 80 |      open poty 1433 |
                            |                     |
                            |                     |
                   Web Server/SQL Server       SQL Server              
                       Applications Server        Others
the other way, use 3 interface in the firewall and make  a DMAZ instead of 2 firewalls:
      Internet-----------Firewall-------------Intranet
               |           |        |             |
         ext.interface    DMZ      int.interface  |
               |           |        |             |    
             open port 80  |       open port 1433 |
                           |                      |
                   Web Server/SQL Server       SQL Server
Also depends on which firewall you are using. If you are using a router with 2 interface only, 1st one is the choice. But if you use a more advanced one such as Checkpoint, Novell BorderManager or Nokia security Appliance, or MS Proxy Server and ISA Server, 2nd option is available
   
0
 
chris_calabreseCommented:
Actually the problem is to create two DMZ's not a single DMZ, which is why I had two firewalls.  You could do this with only one firewall and have two DMZ's hang off of it (if your firewall supports at least four interfaces), but most places have a router at the head of their network anyway, and you might as well use this as the outer firewall, but don't really want more than two interfaces on it lest the ACL's become too difficult to work with.
0
 
hardware123Commented:
"allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433"

I think this statement only state he want 1 DMA only, the internal one is the internal network already.....

there are procs and cons between using 2 firewalls or 1 firewall with 3 or more Network Interface  to make DMZ, such as cost or security or reliability issues.
but anyway we can have many choices to do this :)
0
 
edmundliAuthor Commented:
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of problem.

Thanks for everyone who share the idea, experience to me.


0
 
edmundliAuthor Commented:
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.


0
 
edmundliAuthor Commented:
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.