Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server placements (DMZ, firewall etc.) 1

Status
Not open for further replies.
wbodger

wbodger

Programmer
Apr 23, 2007
769
US
So, I am more of a software kind of guy, but my network folks are asking me some questions that I want to make sure about before I answer back. We have our web server (with two NICs) in the DMZ and then we have our SQL Server(s) behind the firewall. Our webserver *was* part of the domain until about a week ago when IT decided to remove it thinking it was a liability having it in our domain AND in the DMZ. So, how do you folks handle this? Do you take one NIC and connect it externally (in the DMZ) and then another internal (joined to the domain) so it can communicate with the SQL Server(s) without compromising network security?

Does this make sense?

Willie
 
Sort by date Sort by votes
Personally, I don't really see how that's any different than keeping your web server on your trusted network. A DMZ is for isolating hosts, not merely traffic, and if you have a host in the DMZ that has a NIC that bypasses the firewall and has access to the internal network, you might as well keep that host on the trusted network and only allow port 80/443 inbound to it.

But your IT guys have it right: any server facing the public should NOT be a member of the domain. If it is compromised, whatever rights the user accounts on it have in your internal domain are now in the hands of outsiders. It's better if it's a non-domain server using SQL auth to access SQL data on a single port.

If you really want security, you have only a single NIC configured on it, and you put it in the DMZ. The firewall guys then punch a hole for SQL traffic back into the SQL server from the web server, and you use the minimum rights required for SQL data access: for example, you don't use the SA account to do transactions. Done this way, if your web server gets compromised, there is only one attack vector from the web server against your internal network: port 1433 against your internal SQL server. Everything else would be blocked.

Dave Shackelford
ThirdTier.net
 
Upvote 0 Downvote
That makes sense, thanks for weighing in. I will check with how our firewall is setup and see if we can get this setup right!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
396
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
478
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
620
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
399
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
487
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top