RE: Secure Infrastructure

From: Nelson, Jeffrey (
Date: 05/21/02

From: "Nelson, Jeffrey" <>
To: 'Dan Williamson' <>,
Date: Tue, 21 May 2002 08:47:01 -0400

Hello Dan,

The architecture you set up will depend on the sensitivity of the data, the
risk value involved and the money your company has to spend, as I am sure
you already know.

The need for a firewall is not negated by the need for a two-way connection.
I have experience with PIX so my example will be based on this. You can
specify a conduit through the firewall from one and only one address on the
outside to one and only one address on the inside. This will ensure that
only data from the web server gets to the SQL server. Likewise, with a
conduit going out you can specify that data from the SQL server goes only to
the web server.

The most secure architecture could go something like this. A firewall for
each protocol coming into the DMZ. User authentication into the DMZ via a
SOCKS proxy by which you can also determine permitted destinations. Traffic
destined for the web server is proxied by application. All traffic to and
from the web server is 128-bit SSL. Authentication at the web server is
verified at the SQL server. No login/password or any other type of data on
the web server. Or, better yet, initial authentication to the web server
could be verified against something like active directory or ACF2 and a
secondary authentication to the SQL server. Ensure no cached information
exists, clicking the 'back' button gets the user nowhere. Queries from the
web server to the SQL server are encrypted and go through another firewall
and, again, proxied by application on the inside of this firewall. Also, set
up a timeout value so that each session expires after inactivity. NAT
traffic from the core-DMZ firewall and then NAT the traffic from the
DMZ-Internet firewall. Set up an IDS for the web server.

...or something like that...



-----Original Message-----
From: Dan Williamson []
Sent: Monday, May 20, 2002 2:39 PM
Subject: Secure Infrastructure

I currently am faced with a troublesome infrastructure

We have some real-time data that resides on an SQL server
in our intranet. This data is queried and updated by users
via a web server that is in our DMZ. Queries are sent from
the web server in the DMZ to the SQL server and data is
provided from the SQL server back to the web server based
on the queries. This obviously requires a two way
connection through the firewall which negates the reason
for the firewall in the first place. The question I have is
what is the most secure network design for these systems?
How do you provide access to real-time sensitive data in a
secure environment? Financial, medical and other government
agencies provide this kind of real-time information on a
daily basis so I know there are ways to do what we need.
I'm just not sure how yet.

Any suggestions would be greatly appreciated.

Relevant Pages

  • RE: Secure Infrastructure
    ... Now that will only work if the boxes are physically adjacent and you can ... and allow only sql traffic from the web server plus the replies. ... iptables scripts - quite apart from whatever the main firewall ... We have some real-time data that resides on an SQL server ...
  • Re: disconnect a hacker
    ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
  • Re: Firewall on server itself
    ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
  • Re: [fw-wiz] Using SSL accelerators in firewalls
    ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
  • Re: Web server behind Symantec Enterprise Firewall
    ... I've published a virtual IP at the Firewall to which i route the http ... NAT rule AccesoServer was chosen, but client transparency is ... Since the web server is on the LAN, you shouldn't have to add any route ...