Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Put database into the DMZ? 1

Status
Not open for further replies.
chicocouk

chicocouk

MIS
Aug 19, 2002
331
GB
Hi folks,

Bit of a design question, i guess, but pretty straightforward. PIX 515, three interfaces, inside, outside, dmz. Putting a webserver in the DMZ. Thing is the webserver has to access a database, which also has to be accessed directly. So for security purposes, should the database go in the DMZ too, or put the database on the inside, and open appropriate ports to allow database traffic from the webservers ip in the dmz ONLY to the database server.

All suggestions welcome

Thanks
 
Sort by date Sort by votes
I'd say, Webserver on DMZ, database server on inside, run host intrusion detection on the database server.

I'd prefer Webserver on DMZ 1, database server on DMZ 2, restrict acces to database from web server, but allow anyone on inside access to the database. That would mean another intreface card in the PIX.
 
Upvote 0 Downvote
Thanks for the thoughts. Ideally I agree the two dmzs would be great, but not an option due to cost.

So you reckon it would be better to have the DB server on the inside, and presumably only allow certain ports from the web to the DB?

I've been debating with myself whether thats more secure than putting the DB server in the DMZ, but blocking any access to it directly from the outside (don't allow it to nat out), and don't allow any traffic initiating from the DB server out either, so it's only directly accessible from the webserver, or from the inside.

Problem with this would be that if the webserver was compromised, it would probably have full access to the DB server, as there's nothing to filter traffic between the two.

In your design, at least if the webserver was hacked, presumably the hackers could only get access to the database ports (SQL 2000, as it happens), so no access to shares or anything like that, the pix would filter that traffic. But if they can do damage over the DB ports, then they *might* be able to get into the inside network ....

Any other thoughts most welcome

Cheers
 
Upvote 0 Downvote
Yes, your bang on there.

The way I look at this, if both the servers are in the DMZ then once the web server is compromised your DB server is very vunerable, and you may not have enough visibility to see what is going on.

Putting your DB server onto another LAN port puts another step in the way of the hacker, and as you say you can make the DMX to inside access pretty tight. But it is on the inside, so it carries a risk. However some later Cisco switches have a facility called private VLAN, and PIX 6.3 supports VLAN's as well, so possibly you could use this technology to increase security.

In fact while I think about that, if you could run a VLAN on the DMZ port then that may offer a partial solution, I'm not sure if VLAN support is available on DMZ ports?

I think if your not considering additional LAN ports then you need to look at host based intrusion detection as well.

have you looked at the Cisco security documents on this, there are quite a few at
Whilst some of the ideas assume you have a bottemless pit of cash it discusses this problem in depth.
 
Upvote 0 Downvote
:)

I just completed the SAFE (CSI) course yesterday as it happens, and was about to look around for the whitepaper downloads, so that's handy.

I guess there's no absolute solution unless money is no object (which unfortunately, it always is)

I'll definitely have a read and a further think. Would quite like a play with cisco's new host based ids offering, but i think you need cisco works to get it to play, and i don't have a spare 1ghz 1gig memory machine to devote to it at the moment.

Thanks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
586
nnaarrnn
nnaarrnn
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
188
kythri
kythri
DivemasterBill
  • Locked
  • Question
Cannot connect via the SonicWall Login webpage
Replies
0
Views
167
DivemasterBill
DivemasterBill
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
194
Russtoleum
Russtoleum
MeesterDull
  • Locked
  • Question
Can't remote into my SonicWall
Replies
0
Views
116
MeesterDull
MeesterDull

Part and Inventory Search

Sponsor

Back
Top