?
Solved

Web Server in DMZ

Posted on 2006-05-05
13
Medium Priority
?
2,540 Views
Last Modified: 2008-07-11
Our company is looking at placing a web server in the DMZ of our firewall.  I understand the basic setup of

Internet -------Firewall1---------Web Server------Firewall2-------LAN

My biggest question comes in the fact that there will be a SQL server database on the LAN that will need to be accessed by the web server.  What is the best way to approach setting this up.  Would it make sense to use possibly 3 firewalls, and put the SQL server in a DMZ off of the third firewall?  Any thoughts on this would be appreciated.

0
Comment
Question by:steyerhuber
11 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 16617839
Yes, using a third firewall is a common way to do this.

Another is:

Internet----Firewall1----WebDMZ----Firewall2----InternalNet
                                                     |
                                                App/DB DMZ
0
 
LVL 1

Assisted Solution

by:gam1002
gam1002 earned 200 total points
ID: 16618208
It's important to point out that you don't actually *need* three firewalls. You could quite easily purchase a hardware firewall, with the approiate number of interfaces/feature pack.

For example, the above configuration could easily be handled by a PIX515E, with a suitable unrestricted bundle, more than two ethernet interfaces etc. You could then have an ethernet port for internal LAN, SQL server and Webserver.

By tightening either ACL's (cisco) or rules (Checkpoint/netscreen etc) you can construct rules that means even if one server is comprosised, the other server isn't sitting wide open to attack.

HTH
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 200 total points
ID: 16621888
> What is the best way to approach setting this up.
depends on your security requirements and what you already have on the web server
In all cases I'd not use the SQL server from your LAN but use one in the DMZ with copied (read-only) data.

If your web server does not host multiple applications or domeins, I'd use it as SGL server also, which makes it fast and you need only to connect to localhost.
Otherwhise use a SQL server on its own host. I guess you don't need a firewall between the web server and the SQL server then, 'cause it must pass all SQL traffic anyway. Only if someone owns your web server, then that firewall raises the bar to own the SQL serevr also.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 3

Assisted Solution

by:RiDo78
RiDo78 earned 200 total points
ID: 16625113
Does the webserver require read/write access to the database?

If not you can setup an read/write database on the LAN and have it replicate to the read-only DB on the webserver.

Otherwise you can setup an HARDENED reversed proxy on your outside firewall, ensuring that your webserver receives only legitimate web-requests and nothing else. So a buffer-overflow or some other hacking-techniques only affect the proxyserver, not the webserver. For the webserver to connect to the DB, you can setup a portforwarding in FW2 or setup an VPN-tunnel thru the FW. Now it's quite hard to gain access to your internal network as a hacker has to compromise both the proxyserver and the webserver.

HOWEVER, you are not safe against crappy-developed insecure websites. If there is a way to edit the webpages or alter the database-content, it can (and probably will) be used. So you have to ensure that the webuser has no rights to alter the static pages, page-templates and scripts. So they should be read-only (windows) or read&execute (*nix) and not owned by the webuser itself. Futhermore, the database-user should have the correct rights assigned to it. So if the website only needs to read from a table, make sure only SELECT statements are authorized for that table.

If you are completely paranoid and happen to be the developer of the website, you might want to forget about the db-connection thru the firewall, and place another webserver inside the LAN. Now setup a portforwarding so the DMZ-webserver can query the LAN-webserver. Change the website so that all DB-access is replaced by XML-queries to the LAN-webserver. On the LAN-webserver you catch the XML-queries, run a descent check on what is going to happen and wheter or not it is allowed, and if everything is OK, query the database, check the results, convert them to XML and send them back to the webserver. (Although I have to admit, performance-wise it's not the best way to go)


But the problem with security is that it's as strong as the weakest link. So do ensure your website is written properly.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16626350
> Change the website so that all DB-access is replaced by XML-queries to the LAN-webserver.
what should that do? Except that it make things complicated, you add another level of buggy software ;-)
XML is as simple attackable as SQL.

Sorry for being (a bit) off-topic.
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16626722
@ahoffmann: You remove the DB-access from the primary website. There is absolutely no information about the database present in the primary website. The only thing you'll find after comprimizing that machine is an address to the secondary XML-server. The secondary (XML) website serves as some sort of proxy. It validates the XML-requests, perhaps write some logging and performs the actual query to the database. Instead of XML you could also write your own protocol. But I agree with you that it's not a fine solution, but at least the database is unaccessable when the DMZ-webserver is compromized. And as I said, it's for people who are completely paranoid.

Personally I think a reverse proxyserver on the outside-firewall, a DB-portforwarding on the internal-firewall, properly set permissions (on files and DB) a proper written website is good enough. But hey, I've seen the other solution in a test-environment running acceptation- and penetration tests.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16628305
> .. but at least the database is unaccessable when the DMZ-webserver is compromized.
hmm, probably I'm missing the magic:
if someone compromized the web server, probably managed to own it, how does XML then prohibit to access the (hidden?) database? Simply write a XML request as you like.
Oh, and I'm not talking about having fun with [[CDATA]] data in XML now ;-))
0
 
LVL 3

Expert Comment

by:RiDo78
ID: 16629495
I don't like to get to much offtopic, but as you have two webservers, that are only able to talk to eachother using one specified protocol, the only way to compromise the second is (ab-)using that protocol or it's dependencies. Which is only possible after compromising the first server on a way that you are able to alter it's content.

And in this case it's probably much easier to 'talk your way in' and attack the db from the inside.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16629498
> .. and attack the db from the inside.
agreed, I already said that it is a matter of personal preferences or security requirements if you use one ot two servers.
0
 

Assisted Solution

by:jason_mar
jason_mar earned 200 total points
ID: 16635799
Looking at where this discussion started it looks as if the question is being approached from an infrastructure point of view and there is rarely a time when the same person is responsible for both hardware and software. That is not to say that the software side should be neglected but to answer the original question in the capacity it was asked I would yes the "3 firewall " sceanrio is ideal.

This, as said before in reality, can be one firewall with three subnets with rules to filter only the desired bits of traffic between. Say http and https to the web server from the internet and only SQL (or XML) from the webserver to the SQL server. Where possible you would restrict the source and destination of the traffic. Obviously you can't do this for http access to a public site but you can for the webserver to SQL server. This provides you with a port level security.

To add strength to the solution you would also want to consider an application aware firewall. This will give an infrastructure guy the best shot at hardening the software side of things and allow him/her to defend the site against application level attacks such as cross-site-scripting, SQL injection, HTTP Header hacks and general worms.  

There are a few good firewalls to consider such as Checkpoint and Cisco PIX which are application aware. The latest version of Microsoft ISA (2004) also has this capability and isn't too shabby.

That is what the infrastructure guy can do to bolster security for a website and he would also advise the software guy to observe best practises in which I am no expert but some basics spring to mind such as don't allow usernames/ passwords to be hardcoded in html and to use SQL stored procedures where possible to avoid hardcoding SQL statements. The developers would need to do their bit to ensure the whole package is secure.  
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16642689
> .. which are application aware.
sorry, disagree 99,9% with all listed products as being application firewalls.
For such things you need a WAF - web application firewall, some products for that are (dead or alive): AppShield, Magnifire, InterDo, Airlock, TrafficShield, mod_security, and some more ...
But we're going off-topic again.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question