Firewall authentication webserver placement

My company has developed an web app that runs on tomcat using MS SQLserver as a data source (both webserver and database currently on same box which we will soon split).  Until now the web app has only been available and exposed to lan users.  My question is how best to serve this app to remote users.  We do not want to use VPN as not all users will be employees and we cannot control VPN client software.  Further the webserver has a SSL certificate but again we do not want to allow a tunnel through the firewall that cannot be inspected.  Where should the webserver be placed so that if it is compromised it cannot access private data from our database, given that it must have access to the database for the web app to function? Is their some applicance that can authinicate users based on username and password and then allow or deny SSL connection based on that information? We have limited on staff IT mostly programmers/developers and modest budget to impliment this solution.  Thanks for all responses.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


                              DMZ (WebServer)

SSL is about the confidentiality of the data. So if you want it or not depends on what you run on it. Thinking of kind of traffic that goes onto the WebServer, for the known attacks, it doesn't matter whether it is an attack or not. So think about it, even if you allow unencrypted traffic, firewalls' can't prevent the content based attack on most of the parts. Say if somebody plants some kind of virus/trojans or anything in there, it doesn't matter for the firewall whether it is encrypted or unencrypted because it just *can't* understand it. It can prevent most of the invalid packets. Say a Denial of Service can be done and Firewall can stop that because it can understand it.

So then again, try implementing the above scenario with firewall and for content attack, try implementing a Intrusion detection System between the firewall and WebServer. SNORT can serve well and it is free. It can do most of the content attacks.

This is only a start. You can start thinking in these lines.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.