Re: Webserver, DMZ, ports questions

From: Robert Schwartz (ethalis_at_yahoo.com)
Date: 07/18/01

Ideally, there would be no connection between the
internal network and the web stuff.

Internet <->firewall<->Web servers<->firewall<->DB

Internet <-> Firewall <-> Internal Network
Internal network has it's own firewall / internet and
Internet accesible services like SMTP have a seperate
DMZ or a third interface in the firewall. However,
you might want to add some DMZ's here to leverage
everything

Internet<->Firewall<->web servers<->firewall<->DB
                                        ^
                                        |
                                        v
                                      Internal Network

This might work by adding a third interface into your
second firewall. This will be complicated because
these NEED to be seperate vendor firewalls so you will
need to update 2 rulebases for every rule change.

Again, if this is ecommerce or something I'd probably
use a dedicated firewall for my internal network and
segment this area of high risk completely.

As far as source / destination ports goes. Some
firewalls are stateful, so if I allow http on port 80
from the internet to my web server, then outgoing
communications from that web server to the client that
are part of the same conversation are allowed
implicitly (by IP session information). Some
firewalls use proxies so the whole communication is
proxied back and forth and ports don't matter. Some
firewalls are packet filters so you allow all clients
from all source ports to web server port 80 on the
outside and web server all ports to all clients port
80 on the inside interface. Depending on the vendor,
some of these packet filters have "2 way rule" buttons
to check to make it easier to manage rules. I assume
that your firewall is stateful though, so all you need
is to allow all traffic to port 80 on the web server.

--- "Bartel, Matt" <Matt.Bartel_at_qg.com> wrote:
>
> I have two questions that I feel rather dumb about
> asking:
>
> If I am running a setup as follows:
> Internet<->Firewall<->DMZ<->Firewall<->Internal
> Network
>
> and I am running webservers in the DMZ that need to
> pull info out of
> databases (that hold confidential information),
> where is the best place to
> put the db's??? If I put them in the internal
> network, I would have to make
> a rule to allow the webservers to access the db's
> through the FW (which
> defeats the point of the FW)...if I do not allow the
> webservers to go
> through the FW, then they cannot access the db's,
> unless I would put them in
> the DMZ...What is the safest way to do this? What
> would basic, sample rules
> look like that would be optimal in this type of a
> setup be?
>
> Also, one other really dumb question, while I'm on a
> roll:
> I know that I should *only* allow port 80 into the
> DMZ, but do you allow
> *ALL* ports to go out??? Doesn't the webserver use
> all different local
> ports to talk out onto the Internet? If I wanted to
> do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver
>
> Can I allow *only* port 80 to run through the FW to
> the Internet (both
> ways)? I am using IIS 5, and I am under the belief
> that IIS opens ports
> (source ports???) on the local machine to talk out
> to the world...If I only
> allowed 80 to go out, wouldn't that effectively
> block the webserver from
> talking onto the net, since it picks high ports
> (like 5000, or whatever)?
>
> Thank you.
> -Matt

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/