RE: Webserver, DMZ, ports questions

From: Wagner Martini (wagner@informan.pt)
Date: 07/20/01


From: "Wagner Martini" <wagner@informan.pt>
Subject: RE: Webserver, DMZ, ports questions
Date: Fri, 20 Jul 2001 10:25:38 +0100
Message-ID: <002c01c110fd$f11f3890$0102010a@informan.pt>


Use
                                                       Outside(0%)
inside(100%)
Internet --- Router(W/ Firewall) ---------------------- Firewall
------------ intranet(Your Network)
                  Outside -> TCP80 (WWW) DMZ1(80%)|
|Dmz2(50%)
                  Outside -> TCP established | |

        
| |
                                    DataBase(DMZ2 -> PORT(SQL?))
WWW(Outside -> 80)

Use Cisco System,
Firewall= PIX 515UR
Router= 1720 + IP/FW/IDS (deny: pings, netbios-session, telnet,
127.0.0.0 and 224.0.0.0)

Think this....

Regards,
Wagner
CCNA

-----Original Message-----
From: Bartel, Matt [mailto:Matt.Bartel@qg.com]
Sent: terça-feira, 17 de Julho de 2001 20:12
To: focus-ms@securityfocus.com
Subject: Webserver, DMZ, ports questions

I have two questions that I feel rather dumb about asking:

If I am running a setup as follows:
Internet<->Firewall<->DMZ<->Firewall<->Internal Network

and I am running webservers in the DMZ that need to pull info out of
databases (that hold confidential information), where is the best place
to put the db's??? If I put them in the internal network, I would have
to make a rule to allow the webservers to access the db's through the FW
(which defeats the point of the FW)...if I do not allow the webservers
to go through the FW, then they cannot access the db's, unless I would
put them in the DMZ...What is the safest way to do this? What would
basic, sample rules look like that would be optimal in this type of a
setup be?

Also, one other really dumb question, while I'm on a roll:
I know that I should *only* allow port 80 into the DMZ, but do you allow
*ALL* ports to go out??? Doesn't the webserver use all different local
ports to talk out onto the Internet? If I wanted to do the following
(assuming there is no internal network): Internet<->Firewall<->Webserver

Can I allow *only* port 80 to run through the FW to the Internet (both
ways)? I am using IIS 5, and I am under the belief that IIS opens ports
(source ports???) on the local machine to talk out to the world...If I
only allowed 80 to go out, wouldn't that effectively block the webserver
from talking onto the net, since it picks high ports (like 5000, or
whatever)?

Thank you.
-Matt