Re: DMZ design

From: Ansgar -59cobalt- Wiechers (usenet-2005_at_planetcobalt.net)
Date: 11/29/05


Date: 29 Nov 2005 21:47:31 GMT

Leythos wrote:
> In article <3v3o3nF13n3meU1@individual.net>, usenet-2005@planetcobalt.net says...
>> However, you still don't want any server in the DMZ to be able to
>> initiate connections to hosts inside tha LAN.
>
> Again, it's not going to hold in a web to database design. You should
> never put the database server in the DMZ and you would never put the web
> server in the LAN -

Please tell me: why would I punch a hole into the firewall protecting my
LAN rather than putting a DB server into a (separate) DMZ and opening
that hole only between the two DMZs? Or (if the requirements allow this)
do put a DB server into the DMZ, and have the "real" DB server in the
LAN from where only the required subset is pushed to the DMZ-DB?

> so, you punch a IP:PORT hole through the DMZ>LAN for 1433 between the
> exact two IP, and then your web app can access the MSSQL Server in the
> protected LAN.

No, I don't think I'm going to do this.

> Port 1433 isn't going to allow access to Enterprise manager, and as
> long as your DB Server is patched, then allowing 1433 from the DMZ to
> LAN vial IP:PORT>IP:PORT won't compromise the network.

And with one of the setups I described above, my network wouldn't be
compromised even *if* the webserver got compromised *and* there was an
unpatched vulnerability in the DBMS *and* an attacker had a 0-day.
Defense in depth.

cu
59cobalt

-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668


Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: fedora-list Digest, Vol 6, Issue 266
    ... Re: OT: Setting up a forwarding mail domain in DMZ without ... Re: Sound Problem ... downloaded the yum.conf for fedora from Redhat's website. ... Server: Fedora.us Extras ...
    (Fedora)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
    (comp.unix.sco.misc)