increase security for the firewall

I need advice on how to increase security for the firewall...
Right now all the ports are closed except two of them becasue the internet application needs to reach the database to update the information in the database.
If someone were to compromise the web server, they could easily get to all the databases located on the server which can be accessed from the internet in order for the code to to update the databases.  I need to find a way to lock this down, and still have the application connect to the database.
Is there a way?  If not, is there a way to increase security?
Is there a way to hide which ports are open from hackers?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I supposed if they were on two different internal subnets that had traffic betwen them channel through the firewall... but even that won't solve what you're trying to do.

Any ports open would be visible by anyone who is within an arm's length of that server. One thing you could do is have the database server drop any ICMP traffic via something like a software firewall. That would prevent things like pings. Maybe you should look at better securing each server... for example, using IISLockdown on the web server (assuming it runs Windows and IIS on it).

However, anything that's left open to the world will always have a shot at being exploited... hence why you try to open up as little as possible. And you'll also want to make sure anything that doesn't need to be accessed by the outside is behind as much protection as possible.
You can always look into hardening the OS on the servers... you want to make it as hard as possible for people to exploit the servers in the first place. Nothing is 100% secure tho. Getting rid of unneeded parts of the OS, things like that.
One question. Are your users trusted or not? (ie, your staff or just joe public). If trusted then use hard token authentication and encryption to keep anyone else out at the entry point. This removes the need for too much inside protection.

The obvious but 'expensive' way is to create a DMZ that has a web server (or a top tier presentation layer server) which has the access. Then database calls could be controlled through the firewall to only allow traffic to hit the database server from the DMZ server, not the outside.
Then, you would be able to limit the access to the database server, thus adding another layer that would need to be breached.

Next, add in a service account that cannot be seen within AD and use this to access the Database server. Assign it specific roles within the database to only do what it needs. If someone where to gain control of the DMZ server, they would then need to break the userid/password for the inside database server. Console access to the DMZ server would not be enough to get through the firewall or onto the database server.

Use SSL for your internet application thus allowing you to reduce access to only come in via 443. Then, change the SSL port to something obscure (eg 43215) and check it does not conflict with some other common application just in case.

All you are doing is reducing the chance of an opportunist hacker. If someone is determined, and has your external IP address, they will certainly do enough damage for it to be felt. How much is up to you I guess.

Hope this helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.