Re: DMZ design

From: Ansgar -59cobalt- Wiechers (
Date: 11/29/05

Date: 29 Nov 2005 21:47:31 GMT

Leythos wrote:
> In article <>, says...
>> However, you still don't want any server in the DMZ to be able to
>> initiate connections to hosts inside tha LAN.
> Again, it's not going to hold in a web to database design. You should
> never put the database server in the DMZ and you would never put the web
> server in the LAN -

Please tell me: why would I punch a hole into the firewall protecting my
LAN rather than putting a DB server into a (separate) DMZ and opening
that hole only between the two DMZs? Or (if the requirements allow this)
do put a DB server into the DMZ, and have the "real" DB server in the
LAN from where only the required subset is pushed to the DMZ-DB?

> so, you punch a IP:PORT hole through the DMZ>LAN for 1433 between the
> exact two IP, and then your web app can access the MSSQL Server in the
> protected LAN.

No, I don't think I'm going to do this.

> Port 1433 isn't going to allow access to Enterprise manager, and as
> long as your DB Server is patched, then allowing 1433 from the DMZ to
> LAN vial IP:PORT>IP:PORT won't compromise the network.

And with one of the setups I described above, my network wouldn't be
compromised even *if* the webserver got compromised *and* there was an
unpatched vulnerability in the DBMS *and* an attacker had a 0-day.
Defense in depth.


"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."