Re: IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE
From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 11/02/02
- Next message: Raja S. Lamba: "IIS 6.0 Restricts files with .snp extension"
- Previous message: CyberSpider: "IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE"
- In reply to: CyberSpider: "IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com> Date: Fri, 1 Nov 2002 20:56:03 -0500
"CyberSpider" <vdailey@gsys.com> wrote in message
news:O3XoZ5fgCHA.1640@tkmsftngp10...
> Hi;
>
> A discussion has arose at my company about which method is the best. Is
it
> safe to host a web application on a mchine (IIS) outside of our firewall
and
> place SQL server on that machine. The presentation software, business
> logic, and the sql server would reside on this one machine.
>
> Or
>
> Should the presentation software be the only software on the machine
outside
> of our firewall, maybe including the business logic but the data on the
SQL
> server reside inside the firewall and be accessed via a DSN or a DSNLESS
> connection.
>
> Or is there some other method that would be the preferred method.
First of all, there's NO reason to put anything outside of a firewall.
Firewalls are cheap [$70 US for Netgear, $500 US for www.netscreen.com,
etc.] and there are even free ones out there [Smoothwall, IPcop, Gibralter,
Linux firewalls that boot from a CD and run on an old 486 PC with an easy
GUI]. The vulnerabilities of Windows, IIS and SQL are well known, so you
really want a firewall. Without a firewall, if you are hacked, you'll have
no clue what IP address the hacker used and no evidence to prosecute.
Additionally, it may be a good idea to use two firewalls or a firewall with
three NICs [or two firewalls where one has three NICs] to create a DMZ.
This protects your internal network in case your internet servers are
hacked, allows you to receive alerts on unusual traffic that indicates a
successful hack, etc.
It is generally best for security to keep the IIS machine only running IIS
and the SQL machine only running SQL, if you can afford it. [This is good
for security as well as for web site performance.] If you can't afford it,
you can run both on one server. The reason for preferring two servers over
one is that if IIS is cracked, SQL is immediately cracked and vice versa.
You're essentially adding all the vulnerabilities of IIS to your SQL server
and adding all the vulnerabilities of SQL server to your IIS server.
Putting both apps onto one server is not considered the best, either for
security or for performance, but it may be acceptable if cost is a bigger
factor than security.
Either way, be sure you've done all the standard stuff to secure the server:
install all Microsoft service packs and security patches, follow the
hardening checklists for Windows and IIS at
www.microsoft.com/technet/security and www.nsa.gov and http://rr.sans.org
among others, install IISlockdown including URLscan and also run MBSA from
www.microsoft.com/download, consider using a file change checker like the
free Languard file integrity checker from www.gfi.com [hidden under the
Languard "white papers" section] etc. etc.
- Next message: Raja S. Lamba: "IIS 6.0 Restricts files with .snp extension"
- Previous message: CyberSpider: "IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE"
- In reply to: CyberSpider: "IS IT SAFE TO HOST SQL SERVER AND IIS SERVER ON THE SAME MACHINE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
