DMZ - is it a solution to my security problems

Hi All,

I need some advice on network and web security.  I am new to security, I have 2 servers, one is a web server, which also contains an sql server ( i know this is insecure in itself).  I also have a file and print server.  Both of these are on the LAN, we have a dsl line with a gateway open for http and mail, for outside users to access the website and for us to send and receive mail.

I have been told that the web server should be placed in a DMZ and that the sql server, should be moved from the web server.

However, I need a detailed explanation (in plain english) of how I go about doing this... software and hardware requirements along with a configuration settings. Also, what are my options.... I mean if it is not feasible for me to buy a new server for the sql, what other ways can I go about securing the two servers that I have.

Can anybody help me?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi janereid21,
Firstly you need a good firewall with at least 3 interface. Have a look at products such as the Cisco PIX 515-R-DMZ, Sonicwall, and Watchguard.

Put the web server in the DMZ and move the database to the internal network or preferably a 4th (2nd DMZ) interface on the firewall.
I would also advise that you put the mail server in the DMZ aswell. Ideally there should be no computers on the internal network accepting direct connections from the Internet.

There is no real way you can secure the database on the web server. If the web server is compromised they will always have access to the database. It depends if there is anything sensitive on the database. If you are using it to hold credit card information then realistically you must relocate it to another server.
janereid21Author Commented:
Thank you so much for your comments,

Okay so, just to make sure I have this correct.

 I only need one firewall? I've heard that I would need two, one between the WAN and DMZ and then one between the DMZ and the LAN.  However, if I only have one it has to have 3 interfaces, one for the WAN, one for the DMZ and one for the LAN.

The mail and web server should be inside the DMZ, which means the interface for the firewall connecting the WAN to the DMZ should only be open for http and smtp/pop3.

How would the web server access the information it needs on the sql server which would now reside on the LAN? and also, how would the mail clients be configured to collect mail from a server on the DMZ?

Would the interface for the firewall from the DMZ to the LAN, allow connections through port 25 and 110? and set to be open for sql queries?  How would this be configured..How would the LAN recognise the IP for the mail server if it is on the DMZ?

Apologies for all the questions... I'm just trying to straighten this out in my head. I've only been looking into DMZ's for the last couple of hours, and although I do get the general idea, I just need more detail to help me to understand how the whole thing is set up.

Thanks a mil,


Yes you only need a single 3 interface firewall.

The default rules on most firewalls will permit the internal network to access the DMZ and Internet, and for the DMZ to access the Internet. Everything else is normally denied by default.
Therefore you need to open ports 25 and 110 for the main server, and ports 80 and 443 for the web server. In addition you would open the ports used by the databse to the internal database server from the web server only.

The mail clients would normally just access the IP address of the machine in the DMZ if they are on the internal network. If they are on the Internet they access the IP address of the firewall and it will redirect the connection.

The machines on the LAN will just have the IP address of the firewall defined as their default gateway. The fact that the email server is in the DMZ does not make any real difference to them.

How you configure the firewall will depend on which model you get. Some are easier to configure than others. The Watchguard firewalls have lots of features which you may find very beneficial. I normally use the Cisco PIX but they are not the easiest to configure.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
janereid21Author Commented:
Thank you grblades,

You've been extremely helpful in giving me some clarity on the whole DMZ setup.  

The web server and mail server might have to be set up on the same machine... but i will look into that...

Thanks a lot, much appreciated

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.