RE: Webserver, DMZ, ports questions

From: Nina Levitin (
Date: 07/18/01

> I have two questions that I feel rather dumb about asking:

There are no stupid questions. That is why we are all here.

>...if I do not allow the webservers to go
>through the FW, then they cannot access the db's, unless I would put them
> the DMZ...What is the safest way to do this? What would basic, sample
> look like that would be optimal in this type of a setup be?

First off what kind of firewall are you using? Is it capable of more than
one DMZ? Do users on the internal network require access to this database?

The best set up would be to have the web server in one DMZ and the database
servers in another. Allow no traffic to the second DMZ from the outside.
And allow communication only on port 1433(sql) from DMZ1 to DMZ2 and the
same from DMZ2 to the internal and visa versa. If this is not possible it
is possible to allow communication from the web server to the database
server on just the one port. But you need to be careful and not have rules
that open the DMZ up further. A sample rules base would look like this:

Source Destination Port Action
Web1 DB1 1433
DB1 Web1 1433


Outside DMZ2 Any Deny
DMZ1 DMZ2 1433
DMZ2 DMZ1 1433
DMZ2 Internal 1433

> I know that I should *only* allow port 80 into the DMZ, but do you allow
> *ALL* ports to go out??? Doesn't the webserver use all different local
> ports to talk out onto the Internet? If I wanted to do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver

A firewall is just a really intelligent router. It is a traffic cop. If
you tell it you only want blue cars to turn right then that is what would
happen. The best policy is to allow only the BARE minimum amount of traffic
to get through. Meaning if you don't have to open a port then don't open

A web server should not be part of your NT domain. By all means restrict
the web server to only send and receive port 80. Unless you have a need for
it to use other ports to the outside, don't open them. This leaves you
vulnerable to attack. There is no reason why this would cause a problem for
the IIS server. Unless you are using HTTPS in which case you will need to
open up that port as well.