RE: Firewalling with a webserver and DBFrom: Bell, James (AZ76) (James.Bell_at_honeywell.com)
- Vorherige Nachricht: Steve Willis: "RE: NT "net use" Malfunctions"
- Vielleicht als Antwort auf: Bartel, Matt: "Firewalling with a webserver and DB"
- Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]
We've actually got something like this that we're doing now, except we're
putting an extra layer in by setting up a reverse proxy, for a
customer/supplier "extranet". I would love to know people's opinions.
Traffic flow will be:
1) Internet host can only make web (ssl) requests to reverse proxy through
packet filter firewall#1
2) Only rev. proxy can proxy those requests to web servers (possibly some
round robin here) through firewall #2.
3) Only web servers can connect to app. servers through firewall #2.
4) Only app servers can connect to DB.
> -----Original Message-----
> From: Bartel, Matt [mailto:Matt.Bartel_at_qg.com]
> If I am running a setup as follows:
> Internet<->Firewall<->DMZ<->Firewall<->Internal Network
> and I am running webservers in the DMZ that need to pull info out of
> databases (that hold confidential information), where is the
> best place to
> put the db's??? If I put them in the internal network, I
> would have to make
> a rule to allow the webservers to access the db's through the
> FW (which
> defeats the point of the FW)...if I do not allow the webservers to go
> through the FW, then they cannot access the db's, unless I
> would put them in
> the DMZ...What is the safest way to do this? What would
> basic, sample rules
> look like that would be optimal in this type of a setup be?
> Also, one other really dumb question, while I'm on a roll:
> I know that I should *only* allow port 80 into the DMZ, but
> do you allow
> *ALL* ports to go out??? Doesn't the webserver use all
> different local
> ports to talk out onto the Internet? If I wanted to do the following
> (assuming there is no internal network):
> Can I allow *only* port 80 to run through the FW to the Internet (both
> ways)? I am using IIS 5, and I am under the belief that IIS
> opens ports
> (source ports???) on the local machine to talk out to the
> world...If I only
> allowed 80 to go out, wouldn't that effectively block the
> webserver from
> talking onto the net, since it picks high ports (like 5000,
> or whatever)?
> Thank you.