Firewalling with a webserver and DB

From: Bartel, Matt (Matt.Bartel_at_qg.com)
Date: 07/17/01

• Vorherige Nachricht: Rory: "oracle question"
• Nächste im Thread: Tommie Porter: "RE: Firewalling with a webserver and DB"
• Antwort: Tommie Porter: "RE: Firewalling with a webserver and DB"
• Antwort: Bell, James (AZ76): "RE: Firewalling with a webserver and DB"
• Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]

---

If I am running a setup as follows:
Internet<->Firewall<->DMZ<->Firewall<->Internal Network

and I am running webservers in the DMZ that need to pull info out of
databases (that hold confidential information), where is the best place to
put the db's??? If I put them in the internal network, I would have to make
a rule to allow the webservers to access the db's through the FW (which
defeats the point of the FW)...if I do not allow the webservers to go
through the FW, then they cannot access the db's, unless I would put them in
the DMZ...What is the safest way to do this? What would basic, sample rules
look like that would be optimal in this type of a setup be?

Also, one other really dumb question, while I'm on a roll:
I know that I should *only* allow port 80 into the DMZ, but do you allow
*ALL* ports to go out??? Doesn't the webserver use all different local
ports to talk out onto the Internet? If I wanted to do the following
(assuming there is no internal network):
Internet<->Firewall<->Webserver

Can I allow *only* port 80 to run through the FW to the Internet (both
ways)? I am using IIS 5, and I am under the belief that IIS opens ports
(source ports???) on the local machine to talk out to the world...If I only
allowed 80 to go out, wouldn't that effectively block the webserver from
talking onto the net, since it picks high ports (like 5000, or whatever)?

Thank you.
-Matt

---

• Vorherige Nachricht: Rory: "oracle question"
• Nächste im Thread: Tommie Porter: "RE: Firewalling with a webserver and DB"
• Antwort: Tommie Porter: "RE: Firewalling with a webserver and DB"
• Antwort: Bell, James (AZ76): "RE: Firewalling with a webserver and DB"
• Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]

---

Relevant Pages PART II : Webserver, DMZ, ports questions ... I need to be able to run webservers which talk to database servers. ... firewall since I am using a stateful firewall that should "automatically" ... open source ports to talk back outbound. ... Second FW to the Webserver DMZ? ... (Focus-Microsoft) PART II : Webserver, DMZ, ports questions ... I need to be able to run webservers which talk to database servers. ... firewall since I am using a stateful firewall that should "automatically" ... open source ports to talk back outbound. ... Second FW to the Webserver DMZ? ... (Security-Basics) Re: ipfw / natd does not allow lan traffic to reach external numbers ... > *) natd is used to redirect access to external IP addresses and ports ... > correct ports, and the webservers work just fine. ... Stacey Roberts ... (freebsd-questions) Re: How Sticky Are CableModem AUPs? ... they mention 'no webservers, no ftp servers, no gameservers" etc. ... I realize I'm the one breaking the rules and taking the risks, ... I understand the usual ports are blocked and I ... they blocked every incoming port ... (comp.dcom.modems.cable) Re: Sky router and DMZ ... router DMZ to save having to forward ports. ... flawless service and its how I want my PS3 setup. ... I would just setup port forwarding and forget about it. ... ports on a NetGear 834 something or other last weekend and it's easy. ... (uk.telecom.broadband)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)