Re: securing a database from DMZ traffic



In article <1184938705.421349.96740@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
crussell18@xxxxxxxxx says...
We are in the process of creating a DMZ for our web servers. Currently
our web servers have sit on our internal network. Moving the web
servers to a DMZ is the easy part, but what I am not sure about is how
to secure our database. I do not want it to sit the database on the
DMZ, but I also do not want to allow my DMZ to access the internal
network to hit the database. Does any one have a suggestion that i can
lookinto.
We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
suggestions would be appreciated

A typical database/web layout has the database servers in the LAN with
the Web Servers in the DMZ. You open the port(s) needed for database
communications between the Web Servers and the Database servers through
the firewall DMZ>LAN, and only to those IP/Ports. You do not use Windows
Authentication in your database/web application, you would use SQL
Authentication.

If you network is based on Microsoft platforms you want to make sure
that your web servers are NOT part of your active directory structure
and that you only open the Database communication ports from the web
servers to them.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.