RE: Webserver, DMZ, ports questions

From: Wagner Martini (wagner@informan.pt)
Date: 07/20/01


From: "Wagner Martini" <wagner@informan.pt>
Subject: RE: Webserver, DMZ, ports questions
Date: Fri, 20 Jul 2001 10:25:38 +0100
Message-ID: <002c01c110fd$f11f3890$0102010a@informan.pt>


Use
                                                       Outside(0%)
inside(100%)
Internet --- Router(W/ Firewall) ---------------------- Firewall
------------ intranet(Your Network)
                  Outside -> TCP80 (WWW) DMZ1(80%)|
|Dmz2(50%)
                  Outside -> TCP established | |

        
| |
                                    DataBase(DMZ2 -> PORT(SQL?))
WWW(Outside -> 80)

Use Cisco System,
Firewall= PIX 515UR
Router= 1720 + IP/FW/IDS (deny: pings, netbios-session, telnet,
127.0.0.0 and 224.0.0.0)

Think this....

Regards,
Wagner
CCNA

-----Original Message-----
From: Bartel, Matt [mailto:Matt.Bartel@qg.com]
Sent: terça-feira, 17 de Julho de 2001 20:12
To: focus-ms@securityfocus.com
Subject: Webserver, DMZ, ports questions

I have two questions that I feel rather dumb about asking:

If I am running a setup as follows:
Internet<->Firewall<->DMZ<->Firewall<->Internal Network

and I am running webservers in the DMZ that need to pull info out of
databases (that hold confidential information), where is the best place
to put the db's??? If I put them in the internal network, I would have
to make a rule to allow the webservers to access the db's through the FW
(which defeats the point of the FW)...if I do not allow the webservers
to go through the FW, then they cannot access the db's, unless I would
put them in the DMZ...What is the safest way to do this? What would
basic, sample rules look like that would be optimal in this type of a
setup be?

Also, one other really dumb question, while I'm on a roll:
I know that I should *only* allow port 80 into the DMZ, but do you allow
*ALL* ports to go out??? Doesn't the webserver use all different local
ports to talk out onto the Internet? If I wanted to do the following
(assuming there is no internal network): Internet<->Firewall<->Webserver

Can I allow *only* port 80 to run through the FW to the Internet (both
ways)? I am using IIS 5, and I am under the belief that IIS opens ports
(source ports???) on the local machine to talk out to the world...If I
only allowed 80 to go out, wouldn't that effectively block the webserver
from talking onto the net, since it picks high ports (like 5000, or
whatever)?

Thank you.
-Matt



Relevant Pages

  • RE: PART II : Webserver, DMZ, ports questions
    ... through a firewall they do it by coming through ports that the firewall ... plan on putting content onto the webserver from the Intranet. ... ports through the firewall. ... > ports to talk out onto the Internet? ...
    (Security-Basics)
  • RE: PART II : Webserver, DMZ, ports questions
    ... through a firewall they do it by coming through ports that the firewall ... plan on putting content onto the webserver from the Intranet. ... ports through the firewall. ... > ports to talk out onto the Internet? ...
    (Focus-Microsoft)
  • RE: Firewalling with a webserver and DB
    ... But the DB on the internal network. ... only allow port 80 into your DMZ IF all you have are ... As clients computers will use these ports dynamically to talk to ... Firewalling with a webserver and DB ...
    (Security-Basics)
  • RE: Ipchains Question / Seeking Information.
    ... Look like you have the slapper worm... ... Is the address binded to my webserver. ... Chain output (policy ACCEPT): ... these ports, or is my webserver being attacked on these ports. ...
    (Security-Basics)
  • Re: Webserver in DMZ?
    ... Then you have problems for the ftp server. ... DMZ is to hae a SMTP server running. ... or receive connections on all ports. ... exposure of everything on the webserver. ...
    (microsoft.public.dotnet.framework.aspnet)