Re: SQL2000 based website: DMZ or LAN placement

From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 11/03/03 

Date: 3 Nov 2003 16:51:41 GMT

Dave (dogrady@my-deja.com) wrote:
: Hi folks
: Soon going to be updating a website. It will be IIS on one box (in the
: DMZ) and SQL2000 on the other. My initial thinking was to put the
: SQL2000 inside and create rules to allow the IIS box to talk to the
: SQL given that the SQL server will also be used for non-web data as
: well. However, in doing some reading, the other suggested option would
: be to put the SQL server in the DMZ, and allow no direct access to it
: from the 'net. My questions are:

: 1) Given that we will have non-web data on the SQL box along with the
: website, what is the "best practice" design to keep it secure (given
: that I only have the two servers)

: 2) If the answer is "IIS in DMZ, SQL on LAN" I need some pointers on
: the firewall rule. I've seen more than once that the rule needs to be
: *All -> 1433* and
: *1433 -> All*
: Would that work?
: Source Dest Port
: IIS server SQL server 1433
: SQL server IIS server 1433
: Or is this too limited to work with dynamic ports?

Remember the point of what a DMZ is, it is a network cloud to place public
servers that is separate from your internal LAN. You shoulds assume
that eventually the web server will be compromised and the DMZ is designed
to mitigate the risk to your internal network when that happens. If you place
both systems in the DMZ, you have added no additional security to the SQL data
since it is fully exposed to the compromised web server.

But if the SQL server is placed inside the internal network then it will not
be directly exposed. If you use a service account embedded in the code of your
web application to communicate with the SQL server you will reduce the risk to
your private data substantually. [Because the SQL server must be partially open
to allow data to flow to the web server, you cannot totally eliminate the risk
but using the approach does reduce it. It basically protects your private data
from the normal 'script kiddy' attack. It will not survive a concentrated attempt
to reverse engineer the application by someone who really wants the data]

Your second rule would work IIS <-> SQL allow port 1433

Richard H. Miller, MCSE, CCSEplus
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine

Relevant Pages

  • Re: Remote development advice
    ... We are using IIS as the web server. ... The IIS and SQL Server is setup in his ... I want to be able to access the pages that my friend has done remotely ... Then whichever web site he has configured as the default site on IIS should appear, assuming the web server was configured correctly. ...
    (microsoft.public.dotnet.general)
  • Re: middle tier recommendations
    ... if you can get your hands on the SQL Server SDK from SQL ... That depends on the amount of use that interface will get. ... is scalable, you can put your app, with DLLs, on any web server without ... Most common reason is running IIS 6 in IIS 5 Compatibility mode. ...
    (microsoft.public.dotnet.framework)
  • SQL2000 based website: DMZ or LAN placement
    ... Soon going to be updating a website. ... DMZ) and SQL2000 on the other. ... SQL2000 inside and create rules to allow the IIS box to talk to the ... SQL given that the SQL server will also be used for non-web data as ...
    (comp.security.firewalls)
  • Re: IIS in a DMZ
    ... the second IIS to run the ASP code and specially make ... I would like to separate my Web Server from my ... >>code running in my DMZ. ...
    (microsoft.public.inetserver.iis.security)
  • Re: security question
    ... Put the SQL Server in its own DMZ. ... > web server in dmz and backend sql with database behind firewall. ... > contends that because we have to open ports from WEB to LAN ...
    (microsoft.public.sqlserver.server)