Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Securing communication between a web server on DMZ an a database behind the firewall.

Posted on 2006-11-27
Medium Priority
Last Modified: 2013-11-16
I have a need to deploy a website for external access.  This website will be hitting an Oracle database. The server (W2K3 IIS 6.0) will be on its own DMZ off of a PIX 515E.

I had originally set the requirement for the development team that the server on the DMZ would not be able to initiate connections into the private network.  The database server would have to push all updates to the webserver, so the connection originated on the private network.  I expect that this will cause some blow-back from the Development team with them stating that other websites allow access from the DMZ into their private network.  

There is bound to be a way to securely allow the web server on the DMZ to initiate connections to the db server as needed for webpages and such.  I just need to figure out how it's done at a conceptual level for the purpose of setting the design requirements for the web-based application.  Details can be worked out later.

To that end I poked around on EE and found some information.

lrmoore in http://www.experts-exchange.com/Security/Firewalls/Q_21376007.html stated in response to a similar question
"Personal opinion - go with the web server on the DMZ and create an IPSEC secpol connection between the web server and the database server, allowing only this encrypted data stream through the PIX from the DMZ to the Inside."

What does that mean?

My concern with allowing the web server to initiate connections into the private network from the DMZ is what if it gets hacked, the intruder could gain access to the private network.  Would the above address that concern?  If the web server does get access into the private network it would be limited to specific ports--probably ODBC or whatever is needed to read and query the db.  

How else do people provide this level of security?

I'm also posting a reference question to this one in other areas of EE.

Question by:averyb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 10

Expert Comment

ID: 18022308
You should never allow connections from a public web-server into your internal network, no mather if the connections are IPSEC or not. In my opinion, I would put the database-server in a DMZ too, connected to the same firewall if you want, but in other DMZ, a backend DMZ. In the firewall, you have to open a rule from the web-server to the database-server, and that's all. If you need to connect to the database server from your private network, you have to open outbound ports only.

Author Comment

ID: 18022507
Thanks for the quick feedback.  

Hadn't thought of putting the db server in a separate DMZ also.  That approach could quickly snowball into needing another server and then dealing with encrypting the db, etc . . . Certainly doable, in theory, but the cost and time would probably preclude that as an acceptable option.  Little to no benefit over having the db push all changes to the website from a functional/technical point of view.  Although getting the push to work might be much harder than dealing with moving the db to a DMZ.  Maybe we'll end up with Oracle updating a postgress or mysql db on the webserver and then the website reading from that local db.

As you stated--"You should never allow connections from a public web-server into your internal network, no mather (sic) if the connections are IPSEC or not."

Are most people in agreement with that?

How do big banks and such do it? I've always assumed that they have the webservers in a DMZ and the backend db's inside their network.  I guess they have a db server in a separate DMZ.

Accepted Solution

jmelika earned 2000 total points
ID: 18024246

I setup similar infrastructure in the past for a company which I cannot disclose the name publicly here; but let's just say they shared the same concerns with you.

I had to setup a very large web-server farm that required access to the database.  They had existing DMZ networks in place, but I decided to create my own physically isolated DMZ network solely for that server farm.  The DMZ network had a very restrictive ACL that only allowed ports 80 and 443 through which hit the load balancer.  The load balancer was infront of the server farm routing traffic to them and balancing as well.  So the network looked somewhat like this:
Router DMZ --- 10.1.1.x -- Load Balancer -- 10.1.2.x -- Servers
LAN (10.1.3.x)

So in this case, only the load balancer was allowed to make outbound connections to the DB through the DMZ port.  The load balancer is the default gateway for the servers and it performs NAT for outbound traffic, so all the DB server sees as the source is the load balancer no matter which server originated the request.  It also adds another layer of protection for your web servers.

Now if you cannot put the load balancer there, or prefer not to by choice, having the servers on the DMZ with rocksolid inbound/outbound ACLs should be good.

Good luck!

Author Comment

ID: 18024985
Unclear how that would protect the inside network from a breached web server.  If they got to the servers they could get the Load Balancer which in turn would give them access to the inside network.  Granted, having the load balancer does add another device intruders would have to hack to gain access to the network.

Expert Comment

ID: 18030634
You are only allowing access to port 80 on the web servers.  No matter how you look at it, the web servers will need access to the data; be it on the Oracle servers themselves, or on the local hard drive (pushed from Oracle every so often).  Also, your web servers must be accessible to the end users.  In reality, that channel of communication must be present.  Our goal as security engineers is to allow ONLY access to that and nothing else.  Once that is done, we start protecting the application responding to the open ports (in your case IIS).  Patch it up, keep it tight, and all should be good.


Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question