Re: Securing SQL

From: Bad Beagle (maxwelli_at_nospam.postalias)
Date: 11/29/05 

Date: Tue, 29 Nov 2005 13:27:37 -0700

Karl, thanks for the reply. How does having a 2nd dmz make it more secure
besides isolation? YOu still have to punch holes in your firewall correct?
"karl levinson, mvp" <levinson_k@despammed.com> wrote in message
news:ejQu21P8FHA.2040@TK2MSFTNGP14.phx.gbl...
>
> "Bad Beagle" <maxwelli@nospam.postalias> wrote in message
> news:uCxmBEE8FHA.444@TK2MSFTNGP11.phx.gbl...
>>I would like to know what the suggestions are for designing a secure
>>solution for Windows servers and SQL. I have a Windows 2000 server that
>>is my web server - this server is in the dmz. This server has pages that
>>access a SQL server. The SQL server hosts a database that is used both
>>internally and externally and needs to be updated by someone internal. My
>>question is where this SQL server should be placed - on the lan and do
>>file replication or in the dmz and open up the firewall for sql traffic.
>
> I would suggest any solution that prevents the servers in the DMZ from
> opening inbound connections into your internal LAN and requires that
> connections be established from your LAN to the DMZ. Having two SQL
> servers, one on the LAN, one in the DMZ, that are synchronized by the
> server on the LAN sounds most secure, but then you want to make sure the
> synchronization works for you and does not cause unacceptable data
> discrepancies.
>
> A cheaper solution that is probably secure enough would be to have the one
> SQL server in the DMZ -- preferably a second DMZ for example using an
> additional network interface in your firewall or an additional inexpensive
> firewall like the www.netscreen.com "5" series, so that the SQL server is
> firewalled from both the LAN and the web server -- AND only allow
> connections from the LAN to the SQL server.
>
> Note that using IPSec authentication and encryption does not make it safe
> to permit connections from the DMZ web server to a server on your LAN,
> because attackers may be able to use that connection.
>
>
>

Relevant Pages

  • Re: Web portal security
    ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 NICs Configuration Problem
    ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ...
    (microsoft.public.windows.server.networking)
  • Re: Where to put the server
    ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Webserver on a DMZ still needed?
    ... OWA server. ... Webserver on a DMZ still needed? ... It is still recommended to have your exchange box (and any other outward ... to interact securely with the Domain Controller on the secure subnet? ...
    (Security-Basics)
  • Re: Groklaws "Bias" and the SCO DDoS Attack
    ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ...
    (comp.unix.sco.misc)