Solved

Server in DMZ

Posted on 2002-04-06
13
667 Views
Last Modified: 2010-04-11
Dear all,

We recently have requries from our users that they would like to put one SQL system in the DMZ area and allow public user to access by using port 80.

There is no problem with standard Firewall configure, however, I have an issue that the user wants to allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433. Will there is a security hole if I open the initial request from DMZ to "internal" with port 1433 ?

If there is an security issue, how can compay deal with B2B ? or B2C in live solution ?

Please advise

Let me summary
1) SQL server places in DMZ for public with port 80 only
2) Internal SQL needs to talk to the SQL server in DMZ with port 1433 --- I think ok for one way direction (from internal to DMZ)
3) If the SQL server in DMZ wants to start the initial request by using port 1433, (DMZ -- to internal with port 1433.)
is it allowed ?

Regards
Edmund
0
Comment
Question by:edmundli
  • 5
  • 4
  • 2
  • +2
13 Comments
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6923197
This is an interesting problem.

First, the point of a DMZ is that you assume that machines in the DMZ can be compromised.

So, putting an SQL server in the DMZ is ok IFF
1.  Your company will not have significant liability if it is compromised (i.e, no financial data, credit cards, or health records)
2.  The SQL server does not make inbound connections to the internal database servers.  This is because the internal database servers undoubtably have the same vulnerabilities, so if the outer one is crackable, the inner ones are crackable too.

Otherwise, a common strategy is to do something like this

Internet--Firewall--web_server--Firewall--inner_net
                                   |
                           mid-tier_app_and_db_servers
0
 

Author Comment

by:edmundli
ID: 6923460
Understand.

Sounds like we have only allow the initial communication starting from internal and not from internet.


According to your info,

Do you mean that you place the db servers with web servers and located in between internal -firewall and internet firewall.

I am bit confused .

Please explain,

How does the traffic flow in term of B2B or B2C solution ?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6923769
Yeah, the diagram looks like it got redone for me by the software ;-)

Put the db servers between the web servers and the internal net.  Either by having three firewalls or by hanging them in a single-leg DMZ off the internal firewall.

Also the outer firewall might be a well-configured router.
0
 

Author Comment

by:edmundli
ID: 6923849
I think DMZ will be used for this db servers, however those db servers need to communicate with internal db server by using port 1433.

Does it mean that all the request/ininital call must starting from internal .

internal db server -- send request to DMZ db server then start communicating

am I correct ?

0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6923890
No.  The idea of three three tier design (web-dmz, apps-dmz, internal) is so that the systems in the apps-dmz can make calls to the internal net without the web-dmz being able to make calls directly to the internal net.
0
 
LVL 3

Expert Comment

by:trath
ID: 6926017
My sugggestion is simply that you can expect that ANY type of server you stick in the DMZ will be compromised(hacked), that is except a firewall or security device.  There are other ways to allow access to servers on your local LAN, through specific ports addressing on your firewall(tunnelling). Experience tells me that NEVER allow any type of non secure server out on the DMZ, by doing this you are essintally trusting the user to not put any material of a confidential nature out there, which you can bet they will.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 3

Expert Comment

by:hardware123
ID: 6927614
I think you can do it in 2 ways
1 is Chris has mentioned:
  Internet-----Firewall----DMZ----Firewall-----Intranet
                   |        |       |             |
               open port 80 |      open poty 1433 |
                            |                     |
                            |                     |
                   Web Server/SQL Server       SQL Server              
                       Applications Server        Others
the other way, use 3 interface in the firewall and make  a DMAZ instead of 2 firewalls:
      Internet-----------Firewall-------------Intranet
               |           |        |             |
         ext.interface    DMZ      int.interface  |
               |           |        |             |    
             open port 80  |       open port 1433 |
                           |                      |
                   Web Server/SQL Server       SQL Server
Also depends on which firewall you are using. If you are using a router with 2 interface only, 1st one is the choice. But if you use a more advanced one such as Checkpoint, Novell BorderManager or Nokia security Appliance, or MS Proxy Server and ISA Server, 2nd option is available
   
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6928133
Actually the problem is to create two DMZ's not a single DMZ, which is why I had two firewalls.  You could do this with only one firewall and have two DMZ's hang off of it (if your firewall supports at least four interfaces), but most places have a router at the head of their network anyway, and you might as well use this as the outer firewall, but don't really want more than two interfaces on it lest the ACL's become too difficult to work with.
0
 
LVL 3

Expert Comment

by:hardware123
ID: 6930583
"allow the DMZ SQL access have communication with the "internal" SQL server by using port 1433"

I think this statement only state he want 1 DMA only, the internal one is the internal network already.....

there are procs and cons between using 2 firewalls or 1 firewall with 3 or more Network Interface  to make DMZ, such as cost or security or reliability issues.
but anyway we can have many choices to do this :)
0
 
LVL 4

Accepted Solution

by:
anzen earned 80 total points
ID: 6934006

>There is no problem with standard Firewall configure,
>however, I have an issue that the user wants to
>allow the DMZ SQL access have communication with
>the "internal" SQL server by using port 1433. Will
>there is a security hole if I open the initial request
>from DMZ to "internal" with port 1433 ?

Yes, if You assume that DMZ machine *could* be hacked, You must account that every connection You allow from a DMZ machine to the internal network is a potential security hole, the only way I see to achieve what You need is somewhat "reversing" the connection, that is the internal server will (in a timely fashion) connect to the DMZ server and exchange data as needed, this way the DMZ server won't have any glue about "penetrating" the firewall but You'll have the ability to manage the SQL data as needed

0
 

Author Comment

by:edmundli
ID: 6939505
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of problem.

Thanks for everyone who share the idea, experience to me.


0
 

Author Comment

by:edmundli
ID: 6939506
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.


0
 

Author Comment

by:edmundli
ID: 6939508
Dear all,

I have read all the discussion in above. I found that two firewalls may not be so partical in our compay as we have E450 sunscreen firwall with 8 interface ports, as a result, I would only consider DMZs within one "powerfull firwall".

Meanwhile, I do agree the security hole issue from anzen that the request must initialing from internal system e.g. SQL server from intranet to DMZ and not from DMZ to internal. I believe that it is also the main point that how we can deal with this kind of issue.

Thanks for everyone who share the idea, experience to me.

0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now