DMZ - is it a solution to my security problems

Posted on 2004-11-22
Last Modified: 2010-04-09
Hi All,

I need some advice on network and web security.  I am new to security, I have 2 servers, one is a web server, which also contains an sql server ( i know this is insecure in itself).  I also have a file and print server.  Both of these are on the LAN, we have a dsl line with a gateway open for http and mail, for outside users to access the website and for us to send and receive mail.

I have been told that the web server should be placed in a DMZ and that the sql server, should be moved from the web server.

However, I need a detailed explanation (in plain english) of how I go about doing this... software and hardware requirements along with a configuration settings. Also, what are my options.... I mean if it is not feasible for me to buy a new server for the sql, what other ways can I go about securing the two servers that I have.

Can anybody help me?
Question by:janereid21
    LVL 36

    Expert Comment

    Hi janereid21,
    Firstly you need a good firewall with at least 3 interface. Have a look at products such as the Cisco PIX 515-R-DMZ, Sonicwall, and Watchguard.

    Put the web server in the DMZ and move the database to the internal network or preferably a 4th (2nd DMZ) interface on the firewall.
    I would also advise that you put the mail server in the DMZ aswell. Ideally there should be no computers on the internal network accepting direct connections from the Internet.

    There is no real way you can secure the database on the web server. If the web server is compromised they will always have access to the database. It depends if there is anything sensitive on the database. If you are using it to hold credit card information then realistically you must relocate it to another server.

    Author Comment

    Thank you so much for your comments,

    Okay so, just to make sure I have this correct.

     I only need one firewall? I've heard that I would need two, one between the WAN and DMZ and then one between the DMZ and the LAN.  However, if I only have one it has to have 3 interfaces, one for the WAN, one for the DMZ and one for the LAN.

    The mail and web server should be inside the DMZ, which means the interface for the firewall connecting the WAN to the DMZ should only be open for http and smtp/pop3.

    How would the web server access the information it needs on the sql server which would now reside on the LAN? and also, how would the mail clients be configured to collect mail from a server on the DMZ?

    Would the interface for the firewall from the DMZ to the LAN, allow connections through port 25 and 110? and set to be open for sql queries?  How would this be configured..How would the LAN recognise the IP for the mail server if it is on the DMZ?

    Apologies for all the questions... I'm just trying to straighten this out in my head. I've only been looking into DMZ's for the last couple of hours, and although I do get the general idea, I just need more detail to help me to understand how the whole thing is set up.

    Thanks a mil,


    LVL 36

    Accepted Solution

    Yes you only need a single 3 interface firewall.

    The default rules on most firewalls will permit the internal network to access the DMZ and Internet, and for the DMZ to access the Internet. Everything else is normally denied by default.
    Therefore you need to open ports 25 and 110 for the main server, and ports 80 and 443 for the web server. In addition you would open the ports used by the databse to the internal database server from the web server only.

    The mail clients would normally just access the IP address of the machine in the DMZ if they are on the internal network. If they are on the Internet they access the IP address of the firewall and it will redirect the connection.

    The machines on the LAN will just have the IP address of the firewall defined as their default gateway. The fact that the email server is in the DMZ does not make any real difference to them.

    How you configure the firewall will depend on which model you get. Some are easier to configure than others. The Watchguard firewalls have lots of features which you may find very beneficial. I normally use the Cisco PIX but they are not the easiest to configure.

    Author Comment

    Thank you grblades,

    You've been extremely helpful in giving me some clarity on the whole DMZ setup.  

    The web server and mail server might have to be set up on the same machine... but i will look into that...

    Thanks a lot, much appreciated


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    How to shade the IP address we need to access? 4 34
    Static IP 5 70
    firewall management operations 1 78
    Sonicwall Traffic 17 68
    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    This video discusses moving either the default database or any database to a new volume.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now