RE: Firewalling with a webserver and DB

From: Bell, James (AZ76) (
Date: 07/19/01

We've actually got something like this that we're doing now, except we're
putting an extra layer in by setting up a reverse proxy, for a
customer/supplier "extranet". I would love to know people's opinions.

Firewall2<->DMZstrong<->Web servers

Traffic flow will be:
1) Internet host can only make web (ssl) requests to reverse proxy through
packet filter firewall#1
2) Only rev. proxy can proxy those requests to web servers (possibly some
round robin here) through firewall #2.
3) Only web servers can connect to app. servers through firewall #2.
4) Only app servers can connect to DB.

> -----Original Message-----
> From: Bartel, Matt []
> If I am running a setup as follows:
> Internet<->Firewall<->DMZ<->Firewall<->Internal Network
> and I am running webservers in the DMZ that need to pull info out of
> databases (that hold confidential information), where is the
> best place to
> put the db's??? If I put them in the internal network, I
> would have to make
> a rule to allow the webservers to access the db's through the
> FW (which
> defeats the point of the FW)...if I do not allow the webservers to go
> through the FW, then they cannot access the db's, unless I
> would put them in
> the DMZ...What is the safest way to do this? What would
> basic, sample rules
> look like that would be optimal in this type of a setup be?
> Also, one other really dumb question, while I'm on a roll:
> I know that I should *only* allow port 80 into the DMZ, but
> do you allow
> *ALL* ports to go out??? Doesn't the webserver use all
> different local
> ports to talk out onto the Internet? If I wanted to do the following
> (assuming there is no internal network):
> Internet<->Firewall<->Webserver
> Can I allow *only* port 80 to run through the FW to the Internet (both
> ways)? I am using IIS 5, and I am under the belief that IIS
> opens ports
> (source ports???) on the local machine to talk out to the
> world...If I only
> allowed 80 to go out, wouldn't that effectively block the
> webserver from
> talking onto the net, since it picks high ports (like 5000,
> or whatever)?
> Thank you.
> -Matt