Hello All,
I’m in the middle of a SAS 70 audit and I have been asked to incorporate a DMZ into my infrastructure. I have done something similar in the past with servers and IP forwarding but this is a little foreign to me. I’ve done some research and I believe that a Multi-Homed Bastion Host configuration is what I need. I must work with existing equipment and I have only one firewall available at the location in question so this looks like the best solution.
In the Multi-Homed Bastion Host configuration a single Firewall is used with individual subnets for the Internal Network, the DMZ and of course the Internet. This I have no problem with …. my confusion comes from the configuration of the Firewall.
How should I configure the Firewall to achieve the best security scenario? The web server runs 4 web applications in addition to hosting our web site. I’m not an SQL guru so I’m unclear on how the web applications communicate with the database server on the back end. Do the two servers need to be able to communicate via a VPN or static route or will the SQL applications be able to find the Database server via SQL connection strings without a route through the firewall? If I use a static route I don’t see a security advantage. Should I use a VPN between the DMZ and the Internal network? If so does this provide the level of security I am looking for? Seems to me that with the VPN in place a hacker could access the internal network just as easily as if the Web server was in the same subnet as the other servers. I have never been a packet level guru so I’m foggy on how the DMZ actually provides additional security.
Lastly, with the DMZ in place how can I remotely administer the Web server?
I’ve asked a lot of questions here but any help would be appreciated.
Thanks,
DH