Database and DMZ issues

[LeGuru]

Hi everyone,

I have a little problem and i need some advice.

We are soon installing two new webservers in our DMZ.
The Webservers will be in contact with a Oracle database.

We have some architecture issues with security here our 2 options :

OPTION 1:
Firewall ---> DMZ (Webservers) --->Firewall---> Inverse Proxy----> DMZ 2(Small Oracle database) <-- Firewall <----LAN

OPTION 2:
FIrewall ----> DMZ (Webservers)----> Inverse Proxy --->Firewall <----> LAN (Central oracle DATABASE)

With option number are we gonna have to consider the replication issues and some performance problems ?
With option number two is there a way to make it really secure ?

For now i know that option #1 is really simple.

Any suggestions are welcome.

Thank you !!

PS: Data needed for the webservers

 

[Lequang]

Both options are not easy, but the rules are:

- Database need to be protected in Lan.
- Webserver is public access, so must be in DMZ.
- Reverse proxy also must be in DMZ.

- If you do 2 layer-firewall (external and Internal) so Internal FW performance must fit with the traffic (database + brwosing + etc ...)

 

[Dalong]

There are seevral things wrong, in both schemes.
Proxying SqlNet is... well, let's say if you have a proper filtering proxy for SqlNet, you _are_ Oracle. Otherwise, your reverse proxy will do nothing more than packet filtering. Useless, since FW2 (which could be a proper filtering router) will do just that.
Then, your reverse proxy are not where it should be : in FRONT of the webservers, not between webserver and DBS. And they should perform heavy filtering on URLs, CGI arguments, all that stuff.