Database Web Application Topology

what is the best and most secure topology for a database driven web application? Is there a best practice?
0pt1musAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
1. web server, application server and database server are in DMZ
2. if you have one physical machine for each server, depends on your topology and the work you're willing to configure and maintain several servers
3. the database is read-only by the web/application server
4. you have a good concept of users and (access) roles for the database

hope this helps for starting ...
0
 
Guy Hengel [angelIII / a3]Connect With a Mentor Billing EngineerCommented:
>1. web server, application server and database server are in DMZ
web server: yes.
the application server and database servers: not necessarily. in regards to the db server, if it is there, it should "only" be a replication. of the actual database

>3. the database is read-only by the web/application server
well, that would be non-sense for a read/write web application?!!!


0
 
ahoffmannCommented:
> .. db server, if it is there, it should "only" be a replication. ..
yes, that's what my "read-only" implies

> that would be non-sense for a read/write web application?
agreed, but the question only says:
> .. for a database driven web application?
this reads to me that the web content is driven by the databese, not the database content by the web application. Need some clarifications here.

Anyway, even if the database is modified by the web app, ist should be in the DMZ, otherwise you open the door to you network by insecure web apps, think of SQL injection, various kinds of code injection, ...
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
sql/code injection is solved by secure web server/correct code, and not by the web/db server in the dmz or not.
0
 
ahoffmannCommented:
> .. solved by secure web server/correct code ..
:-)

The question was about "best practice", then isolating services is defence in depth (as I've never seen secure code, 95%++ web apps are vulnerable, somehow, today ...)
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
>as I've never seen secure code, 95%++ web apps are vulnerable, somehow, today ...
that's right. however, I don't remember having seen a 100% read-only web application, until now, on the other side, so you HAVE to make the db read-write.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.