Re: DMZ design

From: Ansgar -59cobalt- Wiechers (usenet-2005_at_planetcobalt.net)
Date: 11/29/05

Next message: jKILLSPAM.schipper_at_math.uu.nl: "Re: Wireless router"

Previous message: Boll Weevil: "Re: Backup Exec problems with client using Sygate...................Anyone know the answer?"
In reply to: sc_wizard29_at_hotmail.com: "DMZ design"
Next in thread: Leythos: "Re: DMZ design"
Reply:(deleted message) Leythos: "Re: DMZ design"
Reply: DigitalVinyl: "Re: DMZ design"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Nov 2005 16:14:56 GMT

sc_wizard29@hotmail.com wrote:
> I would like to install a web-server on a DMZ. This web-server will
> access a database hosted on the private network. In a book called "The
> Practice of Network Security", the 2 following DMZ design are
> suggested :
>
> Design #1 (private network and DMZ connected to same FW) :
>
> internet -> FW -> private network
> |
> +--> DMZ
>
> Design #2 (2 FW) :
>
> internet -> FW -> DMZ -> FW -> private network.
>
> The author says that "The most notable problem with design #1 is that
> there is no way to securely update information on the servers. There
> are also no facilities in place to secure the database transactions
> between the web server and the database server, or any of the backend
> servers".

The mere network topology doesn't support this opinion in any possible
way.

> I'm afraid I don't understand what the author means... if I use design
> #1 and if the FW is correctly configured, what can prevent me from
> securing the database transactions ?

You don't want *any* host in the DMZ to be able to establish connections
into your private network, since that would break the DMZ. Put the
backend servers into the DMZ (or a separate second DMZ). Replicate
(push!) the relevant data from your backend servers to servers in the
DMZ. But *never* *ever* allow connections from the DMZ to the internal
network.

cu
59cobalt

-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668

Next message: jKILLSPAM.schipper_at_math.uu.nl: "Re: Wireless router"

Previous message: Boll Weevil: "Re: Backup Exec problems with client using Sygate...................Anyone know the answer?"
In reply to: sc_wizard29_at_hotmail.com: "DMZ design"
Next in thread: Leythos: "Re: DMZ design"
Reply:(deleted message) Leythos: "Re: DMZ design"
Reply: DigitalVinyl: "Re: DMZ design"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: newbie to DMZ
... Someone who breaks into a server on the DMZ cannot ... install a sniffer there and gain leverage toward your internal network. ... The DMZ is for servers accessible from the outside world. ... > the Internet the ither is for my Network. ...
(Security-Basics)
AW: Firewall DMZ
... I suggest to place the database also in the DMZ, ... Place all public information in a DMZ and the private in the LAN. ... Now to your Mail Server. ... > some reason they needed to talk to the main network) in a separate ...
(Security-Basics)
Re: One domain controller for several dmzs
... DMZ for Windows network traffic. ... > servers into a different network that the web servers. ...
(microsoft.public.windows.server.active_directory)
Re: How to decide on which network interface domain controller is available
... We are having two servers and I decided that for us it is ... (DC and Internet Gateway/Servers). ... with clients) and an external network. ... nullifying the security of having a DMZ, since if the DC on the DMZ ...
(microsoft.public.win2000.active_directory)
RE: Gurus: server on perimeter vs. corporate advice
... I personally have implemented SharePoint in both environments (DMZ & internal ... front-end servers. ... on their internal network and due ...
(microsoft.public.security)