RE: Firewall DMZ

From: dts (dts@dallas.net)
Date: 08/28/02 

Date: Wed, 28 Aug 2002 10:36:56 -0500
From: dts <dts@dallas.net>
To: 'Daniel Miessler' <danielrm26@hotmail.com>, 'Bryan Brannigan' <bbrannigan@HancockLumber.com>, security-basics@securityfocus.com

I have a question based on your suggestion. With your Webserver in the
DMZ and the Database server in the protected LAN, you have the ODBC port
open to the Database server, what is the chance that if you're Webserver
was owned could an attack access your LAN via the ODBC open port? I am
assuming this is the only open port from the webserver to the database
server?

Would it not make more sense to place the database servers (unless for
some reason they needed to talk to the main network) in a separate
private segment of your internal network and not mixed in with the rest
of the internal network, just in case the Database server was owned?

Could you also us IPSEC (If this is a 2000 network) security from the
Webserver to the Database server and tunnel the ODBC port through it.
This would increase your encryption lvl between the servers and setup
server to server authentication? This should also work for the mail
server talking to a database...but then again this is based on a 2000
network setup.

This could be totally wrong but wanted to ask anyway....

Thanks,
Dave

-----Original Message-----
From: Daniel Miessler [mailto:danielrm26@hotmail.com]
Sent: Tuesday, August 27, 2002 11:04 PM
To: 'Bryan Brannigan'; security-basics@securityfocus.com
Subject: RE: Firewall DMZ

The webserver should stay in the DMZ, and you keep your database on your
internal network. You pass ODBC into your internal firewall, and that
is how your webserver talks to your database.

Don't put your webserver on your internal network. If it gets owned
then it makes a nice launching point for attacks - hence the reason for
a DMZ.

--danielrm26

> -----Original Message-----
> From: Bryan Brannigan [mailto:bbrannigan@HancockLumber.com]
> Sent: Tuesday, August 27, 2002 4:47 PM
> To: 'security-basics@securityfocus.com'
> Subject: Firewall DMZ
>
> I have a web server, mail server and FTP server that I would like to
segment
> out onto a DMZ. The mail server and FTP server are basically
standalone and
> are accessed by clients from the LAN and WAN. The mail server needs
to
> access database servers that remain inside the LAN for protection.
>
> What would be the recommended setup as far as should the web server go
onto
> the DMZ or should it remain on the LAN? What type of firewall rules
should
> be setup between the LAN and DMZ?
>
> Thanks
> -Bryan

Quantcast