PART II : Webserver, DMZ, ports questions

From: Bartel, Matt (Matt.Bartel_at_qg.com)
Date: 07/18/01

I've had many replies to my questions, all of which I sincerely appreciate.
Unfortunately, several of them do not encourage the same logic. So, it
would be helpful for me if I can rephrase my inquiry:

I need to be able to run webservers which talk to database servers. From
what I understand, I only need to open port 80 inbound on the border
firewall since I am using a stateful firewall that should "automatically"
open source ports to talk back outbound. Here is my first question: If this
does not work (even though I realize it should), which ports should I open
outbound on the border firewall? (I am running IIS 5 over Win2K...do I need
to find out what source ports IIS opens/needs open to talk outbound?)

The majority of the recommendations I received instructed me to use three
firewalls in the following fashion:
Internet<->Border FW<->Webserver DMZ<->Second FW<->Database Server
DMZ<->Third FW<->Internal Network

My second (and final) question is this: If I decide to go with the topology
in the manner descibed directly above, how would I physically cable this? I
know this sounds goofy, but for example, how do I physically cable the
Second FW to the Webserver DMZ? Do I do the following?:
 ___ __________ _______ ___________________________
________ ________ ___________________
 | I |<->|Border FW|<->|Switch|<->|Webservers in Webserver DMZ |<->|2nd FW
|<->| Switch |<->|DB Servers in DB DMZ|
 ----- -------------- ---------
------------------------------------- ------------ -----------
--------------------------

Which would mean every webserver in the Webserver DMZ would need to be
dual-NIC'ed? Then, I would need to write ACLs on the Second FW which would
be very tight going both ways from the webservers *only* to the db servers
in the DB DMZ??? A couple of replies instructed to use two different vendor
firewalls for each of these, since if they penetrate the first, they will
surely be able to penetrate the second. I believe the logic is that this
will make them need to hack the second firewall if they want to get to the
data in the db's...is this correct? Is this the *best* (most secure, most
efficient) way of doing what I need to do?

Thank you all for your help!
-Matt

> I have two questions that I feel rather dumb about
> asking:
>
> If I am running a setup as follows:
> Internet<->Firewall<->DMZ<->Firewall<->Internal
> Network
>
> and I am running webservers in the DMZ that need to
> pull info out of
> databases (that hold confidential information),
> where is the best place to
> put the db's??? If I put them in the internal
> network, I would have to make
> a rule to allow the webservers to access the db's
> through the FW (which
> defeats the point of the FW)...if I do not allow the
> webservers to go
> through the FW, then they cannot access the db's,
> unless I would put them in
> the DMZ...What is the safest way to do this? What
> would basic, sample rules
> look like that would be optimal in this type of a
> setup be?
>
> Also, one other really dumb question, while I'm on a
> roll:
> I know that I should *only* allow port 80 into the
> DMZ, but do you allow
> *ALL* ports to go out??? Doesn't the webserver use
> all different local
> ports to talk out onto the Internet? If I wanted to
> do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver
>
> Can I allow *only* port 80 to run through the FW to
> the Internet (both
> ways)? I am using IIS 5, and I am under the belief
> that IIS opens ports
> (source ports???) on the local machine to talk out
> to the world...If I only
> allowed 80 to go out, wouldn't that effectively
> block the webserver from
> talking onto the net, since it picks high ports
> (like 5000, or whatever)?
>
> Thank you.
> -Matt

Relevant Pages

  • Re: [fw-wiz] Content Switch as security device?
    ... As long as the CSS thing is only between the outside world and a DMZ I don't ... I always believe that publically available webservers should be confined to ... and performance of your webservers, rather than their security per se, ... firewall provides to a webserver. ...
    (Firewall-Wizards)
  • Re: SKY USERS
    ... When you set the default DMZ to a non existant IP on the LAN the ... ports register as being stealthed and open if you don't. ... firewall, & I get the anomalous results from all sites mentioned in ...
    (uk.telecom.broadband)
  • Re: NetMeeting Through a NAT Router?
    ... The recommended strategy is to use the dmz feature of the router -- that ... forwards all unsolicited traffic so the number of redirected ports is ... > Windows firewall is disabled but I am running Kerio Personal Firewall, ... Presumably these are calls made to the wan IP of the router? ...
    (microsoft.public.internet.netmeeting)
  • RE: Printing Issue
    ... Opened the two or three ports it needed ... firewall and nothing is being denied access. ... so you put the TS in a DMZ and open ports ... >Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: Need opinions on 3com Office Connect firewall
    ... Neat web interface for Firewall management. ... DMZ Port great for running webservers out side the LAN network. ... No way to protect the Ports from attacks, No ability to set Stealth mode ...
    (comp.security.firewalls)