General discussion

Locked

Access to Internal Database through fire

By orlando.goza ·
Hello:

The situation is this:
A firewall with 3 NICs, one of them for implementing a DMZ zone, where a public WWW server is sitting. The other two connect to the internal LAN and to Internet.
Such a public WWW server needs to access an SQL database located in the internal LAN.

I would like to know what is the most secure way to implement such an access.

I'll very much appreciate any recommendations.

Thank you very much in advance,
Orlando.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Access to Internal Database through fire

by pjgreene In reply to Access to Internal Databa ...

The industry standard is a 3-tier architecture where the first tier is the firewall limiting access to the WWW servers. You then create a private network behind the WWW servers by placing another NIC in the WWW servers and attaching it to a privatenetwork into the SQL box. Make sure you NAT the external address to one of the standard non-registered TCP/IP ranges (ie 10.x.x.x or 192.168.x.x). The key though is locking down those WWW servers, because there are some know exploits on IIS (ie RDS exploit) where I can download your entire database over port 80. Microsoft has a complete checklist http://www.microsoft.com/technet/security/iischk.asp.

Make sure you have an accurate security profile on your firewall and use a port scanner to help you detect holes. Another important apsect often overlooked is an intrusion detection device like Cisco's NetRanger.

If you need any other assistance feel free to contact me at pjgreene@infotechent.net

Collapse -

Access to Internal Database through fire

by orlando.goza In reply to Access to Internal Databa ...

The question was auto-closed by TechRepublic

Collapse -

Access to Internal Database through fire

by MCSE Lee In reply to Access to Internal Databa ...

Depending on the firewall product, you can do this with the server configured as is, or as in answer #1 above - the actual process is roughly the same. Another approach would be to mirror the Db to the DMZ - this would prevent access to the actual database, and allow faster access to the data. Netwrok traffic will increase due to the replication, but it may be a better solution in the long run.

Collapse -

Access to Internal Database through fire

by orlando.goza In reply to Access to Internal Databa ...

The question was auto-closed by TechRepublic

Collapse -

Access to Internal Database through fire

by moflic In reply to Access to Internal Databa ...

Add a second NIC with private IP on the WWW server, connected to a second NIC with the same network number on the SQL server, but different than the network number of your LAN.
Do no routing on the web server, just tell it (or the CGI proggyes) to querry the database on the second NIC's IP.
Filter the traffic on the web server's gateway to SQL as to deny anything that doesn't come from SQL's IP.
Filter the traffic of the SQL to the gateway with the Web server as to deny anything that doesn'tcome from the Web server's IP (just in case, because the web server won't forward).
More secure than that only when turned off.

Collapse -

Access to Internal Database through fire

by orlando.goza In reply to Access to Internal Databa ...

The question was auto-closed by TechRepublic

Collapse -

Access to Internal Database through fire

by orlando.goza In reply to Access to Internal Databa ...

This question was auto closed due to inactivity

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums