How to secure a webserver in a DMZ

[Dennis Breithaupt <dennisb () tetaworx de>]

Hello,

my question seems to be a really basic one:

What are the security best practices to secure a linux-based 
Web/application server, let's say Apache/Tomcat, with access to a 
database backend in a corporate DMZ from a firewall point of view?


We want to make an internal database based application to be available 
for road warriors using PDAs through a normal https-connection.

So we want to place the (presentation-)server into an DMZ behind our 
firewall, allowing only tcp/443 (or even limited to "ENC-HTTP", using 
applicationlevel features from i.e. Checkpoint FW) from the outside and 
only relevant services, as i.e. read-only database connections, 
ldap-connections for authentication from the DMZ through the firewall to 
the inside net.

The key is, that it is not possible to mirror or actively push all 
relevant data from the core into the DMZ, so the DMZ-server has to open 
connections actively from the DMZ to some core database and also 
authentication servers.

So there is a possible attack szenario, that the presentationserver 
could be compromised and then the intruder could use the allowed 
connections into the core.

How would you solve such a situation? Is it generally speaking ok for a 
DMZ-located server to open connections into the core or should this 
never be possible?

Regards,
-Dennis