TechRepublic|Forums|Security

Security

General discussion

  • Creator
    Topic
  • February 7, 2000 at 3:17 am #2082860

    Access to Internal Database through fire

    Locked

    by orlando.goza · about 25 years, 2 months ago

    Hello:

    The situation is this:
    A firewall with 3 NICs, one of them for implementing a DMZ zone, where a public WWW server is sitting. The other two connect to the internal LAN and to Internet.
    Such a public WWW server needs to access an SQL database located in the internal LAN.

    I would like to know what is the most secure way to implement such an access.

    I’ll very much appreciate any recommendations.

    Thank you very much in advance,
    Orlando.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Comments

  • Author
    Replies
    • February 7, 2000 at 7:26 am #3897402

      Access to Internal Database through fire

      by pjgreene · about 25 years, 2 months ago

      In reply to Access to Internal Database through fire

      The industry standard is a 3-tier architecture where the first tier is the firewall limiting access to the WWW servers. You then create a private network behind the WWW servers by placing another NIC in the WWW servers and attaching it to a privatenetwork into the SQL box. Make sure you NAT the external address to one of the standard non-registered TCP/IP ranges (ie 10.x.x.x or 192.168.x.x). The key though is locking down those WWW servers, because there are some know exploits on IIS (ie RDS exploit) where I can download your entire database over port 80. Microsoft has a complete checklist http://www.microsoft.com/technet/security/iischk.asp.

      Make sure you have an accurate security profile on your firewall and use a port scanner to help you detect holes. Another important apsect often overlooked is an intrusion detection device like Cisco’s NetRanger.

      If you need any other assistance feel free to contact me at [email protected]

    • February 13, 2000 at 4:48 pm #3897233

      Access to Internal Database through fire

      by mcse lee · about 25 years, 2 months ago

      In reply to Access to Internal Database through fire

      Depending on the firewall product, you can do this with the server configured as is, or as in answer #1 above – the actual process is roughly the same. Another approach would be to mirror the Db to the DMZ – this would prevent access to the actual database, and allow faster access to the data. Netwrok traffic will increase due to the replication, but it may be a better solution in the long run.

    • March 8, 2000 at 3:38 am #3898430

      Access to Internal Database through fire

      by moflic · about 25 years, 1 month ago

      In reply to Access to Internal Database through fire

      Add a second NIC with private IP on the WWW server, connected to a second NIC with the same network number on the SQL server, but different than the network number of your LAN.
      Do no routing on the web server, just tell it (or the CGI proggyes) to querry the database on the second NIC’s IP.
      Filter the traffic on the web server’s gateway to SQL as to deny anything that doesn’t come from SQL’s IP.
      Filter the traffic of the SQL to the gateway with the Web server as to deny anything that doesn’tcome from the Web server’s IP (just in case, because the web server won’t forward).
      More secure than that only when turned off.

    • September 20, 2000 at 7:02 pm #3740782

      Access to Internal Database through fire

      by orlando.goza · about 24 years, 7 months ago

      In reply to Access to Internal Database through fire

      This question was auto closed due to inactivity

  • Author
    Replies
Viewing 3 reply threads