Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why would you put a webserver in a DMZ 1

Status
Not open for further replies.
1DMF

1DMF

Programmer
Jan 18, 2005
8,795
GB
hi,

We are looking to upgrade our web services and the web company providing the equipment has quoted placing the webserver in a DMZ.

Why would you put your webserver out on the web totally exposed in a DMZ?

surely the traffic to a webserver whould be limited via a firewall with only port 80 & 443 open for generic traffic with FTP and other connections locked down to only those who should have access.

Isn't putting your websever in a DMZ dangerous?

Cheers,
1DMF




"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Sort by date Sort by votes
Just because it is in a DMZ doesn't mean that it's totally exposed to the public Internet. It just means that it is isolated from the internal network. You'll still have firewalls between the Internet and the DMZ. If your hosting company doesn't have firewalls between the Internet and the DMZ you need a better hosting company.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Site
 
Upvote 0 Downvote
I'm confused. My understanding of a DMZ is DeMilitarised Zone 'access with no firewall' or 'unrestricted access'.

If there is a firewall in place then surely it isn't a DMZ?

I'm not sure putting it in the DMZ is going to work either way, how will it connect to the backend SQL if it is in front of a firewall protecting the LAN where the SQL server resides?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
A hole would need to be poked in the firewall between the DMZ and the SQL Server so that the specific web server would have access to the SQL Server's TCP port 1433.

The concept with a DMZ is to prevent any access except that which is needed from the DMZ to the internal servers.

For the most part this isn't really needed. Use firewalls to prevent any access to the web servers other than what you need to let through and put everything on the same network.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Site
 
Upvote 0 Downvote
Thanks Denny,

That's the way i thought it worked, if they can hack the first firewall then surely they could hack the second, so what benefit would having two make?

I appreciate your input

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
It'll take more time and hopefully you'll have figured out there's a problem before they get through the second one.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Site
 
Upvote 0 Downvote
True enough, and I guess there is no harm in adding layered protection, but if the second firewall requires the SQL ports open so the web apps can comunicate with the back end SQL server, then that access is already open for abuse once inside the first firewall isn't it?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"

Google Rank Extractor -> Perl beta with FusionCharts
 
Upvote 0 Downvote
If the SQL Server is properly secured (strong SA password, SQL Auth Disabled, strong application passwords, encrypted connection strings, encrypted SQL connections, etc.) than having that whole in the firewall to the SQL Server isn't much of a risk as the attacker would need to get through the DMZ-to-internal firewall before actually being able to access anything.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)
MCM (SQL 2008)
MVP

My Site
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
453
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
255
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
264
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
385
gbaughma
gbaughma
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
197
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top