Re: Where to place SQL Server DMZ, LAN etc.

From: Morris Lewis (Morris@Holistech.com)
Date: 06/30/02 

From: "Morris Lewis" <Morris@Holistech.com>
Date: Sun, 30 Jun 2002 01:44:08 -0500

My preferred way to handle this is to put the web server on the DMZ and SS
on the internal network. The firewall in between should have rules that only
allow the web server to connect to SS on port 1433 (or whatever port you
want) and allow SS only to send packets to the web server. Then, lock down
your web server and SQL Server. Pay special attention to xp_cmdshell, and do
not use SQL Server authenticated logins. If the firewall supports it, IPsec
between the web server and SS will force authentication of both endpoints of
the channel.

I have a client using a variation of this setup where SS is on its own
network and the dba has two nics, one for the company network, one for SS's
network. In this configuration, a hacker is going to have to take control of
the web server before he can attack SS. Then he's going to have to
compromise SS before he gets data. He's going to have to find a way to
control SS before he can start attacking the dba's computer. Then he's going
to have to find a way to control the dba's computer before he can attack the
internal network. By the time all of this happens, the intrusion detection
software on the firewalls and on the separate monitor computer will probably
notice something's going on.

Just to be safe, I'm going to help them encrypt the sensitive info before it
goes into SS.

I won't say it's totally secure, but there are so many barriers that it's
going to be a tough job to break in.

Morris Lewis
MCDBA, MCSD, MCSE+I, MCT, CTT+
President, Holistech Inc.

"Walt White" <walt@work.com> wrote in message
news:u$xP6AfHCHA.1268@tkmsftngp08...
> I'm trying to determine the best place to locate a SQL Server that will be
> accessed by a public web server. Should I place it on the LAN and add a
> second card to the Web Server that has an internal IP? Place on the LAN
and
> add a One-to-One NAT to the firewall? Suggestions would be appreciated.
>
> Thanks in advance.
>
>

Relevant Pages

  • Re: How vulnerable server will become if placed on DMZ ?
    ... > I have a type of Web Server. ... > allow people to access the described server from the Internet. ... protect your internal network from a compromised web server. ... network as compared to what you probably have now, a single firewall. ...
    (microsoft.public.win2000.security)
  • Re: Open port 80, security issues?
    ... PC, opening port 80 in/out in my firewall, so now it is accessable from ... workstation to the Internet. ... should be using Win 2k3 server, which is a Web server platform. ... It protects from the network ...
    (microsoft.public.dotnet.general)
  • help firewall iptables port forwading
    ... I then created a firewall using IPTABLES. ... web server on the inside of the firewall which I need an outside person to ... #And our internal network plus mask here if applicable ... iptables -t filter -A logdeny -j DROP ...
    (comp.os.linux.security)
  • Re: help firewall iptables port forwading
    ... I then created a firewall using IPTABLES. ... I have a> web server on the inside of the firewall which I need an outside person to> get to. ... > lan, I can go outside the firewall and say browse and serf etc I have> another macihine which simulate an outside connection, this is connected to> the outside nic of the firewall and would have an ip address like> 196.2.31.250. ... > #And our internal network plus mask here if applicable ...
    (comp.os.linux.security)
  • Re: Security risks when running IIS without static ip as localhost
    ... > access this web server, it is purely for developing asp pages which will ... > network to a security risk. ... For example, one vector of compromise is someone receives, say, a worm email ...
    (microsoft.public.inetserver.iis.security)