RE: Webserver, DMZ, ports questions

From: Nina Levitin (NVL_at_integtech.com)
Date: 07/18/01


> I have two questions that I feel rather dumb about asking:

There are no stupid questions. That is why we are all here.

>...if I do not allow the webservers to go
>through the FW, then they cannot access the db's, unless I would put them
in
> the DMZ...What is the safest way to do this? What would basic, sample
rules
> look like that would be optimal in this type of a setup be?

First off what kind of firewall are you using? Is it capable of more than
one DMZ? Do users on the internal network require access to this database?

The best set up would be to have the web server in one DMZ and the database
servers in another. Allow no traffic to the second DMZ from the outside.
And allow communication only on port 1433(sql) from DMZ1 to DMZ2 and the
same from DMZ2 to the internal and visa versa. If this is not possible it
is possible to allow communication from the web server to the database
server on just the one port. But you need to be careful and not have rules
that open the DMZ up further. A sample rules base would look like this:

Source Destination Port Action
Web1 DB1 1433
Allow
DB1 Web1 1433
Allow

Or

Outside DMZ2 Any Deny
DMZ1 DMZ2 1433
Allow
DMZ2 DMZ1 1433
Allow
DMZ2 Internal 1433
Allow

> I know that I should *only* allow port 80 into the DMZ, but do you allow
> *ALL* ports to go out??? Doesn't the webserver use all different local
> ports to talk out onto the Internet? If I wanted to do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver

A firewall is just a really intelligent router. It is a traffic cop. If
you tell it you only want blue cars to turn right then that is what would
happen. The best policy is to allow only the BARE minimum amount of traffic
to get through. Meaning if you don't have to open a port then don't open
it.

A web server should not be part of your NT domain. By all means restrict
the web server to only send and receive port 80. Unless you have a need for
it to use other ports to the outside, don't open them. This leaves you
vulnerable to attack. There is no reason why this would cause a problem for
the IIS server. Unless you are using HTTPS in which case you will need to
open up that port as well.

-Kit



Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... It was the RDC Dynamic high port blocking the traffic. ... "Paul Bergson" wrote: ... the server from the DMZ registered ... authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to join AD domain from DMZ network
    ... the server from the DMZ registered the ... unless you lock it down to a specific port. ... authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Merge replication security
    ... I know port 1433 needs to be open for OUTBOUND traffic, ... By having a separate SQL server in the DMZ I can use Windows ... > connect to your SQL Server which is on your internal network. ...
    (microsoft.public.sqlserver.replication)
  • Re: Remote Access
    ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ...
    (microsoft.public.windows.server.sbs)