Web Server in DMZ
Our company is looking at placing a web server in the DMZ of our firewall. I understand the basic setup of
Internet -------Firewall1---------W
My biggest question comes in the fact that there will be a SQL server database on the LAN that will need to be accessed by the web server. What is the best way to approach setting this up. Would it make sense to use possibly 3 firewalls, and put the SQL server in a DMZ off of the third firewall? Any thoughts on this would be appreciated.
Internet -------Firewall1---------W
My biggest question comes in the fact that there will be a SQL server database on the LAN that will need to be accessed by the web server. What is the best way to approach setting this up. Would it make sense to use possibly 3 firewalls, and put the SQL server in a DMZ off of the third firewall? Any thoughts on this would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@ahoffmann: You remove the DB-access from the primary website. There is absolutely no information about the database present in the primary website. The only thing you'll find after comprimizing that machine is an address to the secondary XML-server. The secondary (XML) website serves as some sort of proxy. It validates the XML-requests, perhaps write some logging and performs the actual query to the database. Instead of XML you could also write your own protocol. But I agree with you that it's not a fine solution, but at least the database is unaccessable when the DMZ-webserver is compromized. And as I said, it's for people who are completely paranoid.
Personally I think a reverse proxyserver on the outside-firewall, a DB-portforwarding on the internal-firewall, properly set permissions (on files and DB) a proper written website is good enough. But hey, I've seen the other solution in a test-environment running acceptation- and penetration tests.
Personally I think a reverse proxyserver on the outside-firewall, a DB-portforwarding on the internal-firewall, properly set permissions (on files and DB) a proper written website is good enough. But hey, I've seen the other solution in a test-environment running acceptation- and penetration tests.
> .. but at least the database is unaccessable when the DMZ-webserver is compromized.
hmm, probably I'm missing the magic:
if someone compromized the web server, probably managed to own it, how does XML then prohibit to access the (hidden?) database? Simply write a XML request as you like.
Oh, and I'm not talking about having fun with [[CDATA]] data in XML now ;-))
hmm, probably I'm missing the magic:
if someone compromized the web server, probably managed to own it, how does XML then prohibit to access the (hidden?) database? Simply write a XML request as you like.
Oh, and I'm not talking about having fun with [[CDATA]] data in XML now ;-))
I don't like to get to much offtopic, but as you have two webservers, that are only able to talk to eachother using one specified protocol, the only way to compromise the second is (ab-)using that protocol or it's dependencies. Which is only possible after compromising the first server on a way that you are able to alter it's content.
And in this case it's probably much easier to 'talk your way in' and attack the db from the inside.
And in this case it's probably much easier to 'talk your way in' and attack the db from the inside.
> .. and attack the db from the inside.
agreed, I already said that it is a matter of personal preferences or security requirements if you use one ot two servers.
agreed, I already said that it is a matter of personal preferences or security requirements if you use one ot two servers.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> .. which are application aware.
sorry, disagree 99,9% with all listed products as being application firewalls.
For such things you need a WAF - web application firewall, some products for that are (dead or alive): AppShield, Magnifire, InterDo, Airlock, TrafficShield, mod_security, and some more ...
But we're going off-topic again.
sorry, disagree 99,9% with all listed products as being application firewalls.
For such things you need a WAF - web application firewall, some products for that are (dead or alive): AppShield, Magnifire, InterDo, Airlock, TrafficShield, mod_security, and some more ...
But we're going off-topic again.
what should that do? Except that it make things complicated, you add another level of buggy software ;-)
XML is as simple attackable as SQL.
Sorry for being (a bit) off-topic.