RE: How to secure a webserver in a DMZ

["Burton Strauss" <Burton () FelisCatus org>]

Put a specific firewall in there between the DMZ DBMS client and the
Internal DBMS server.

That is punch though the firewall ONLY for specific DBMS port (e.g. 3306 for
MySQL, etc.) between those two specific machines.


-----Burton


-----Original Message-----
From: Dennis Breithaupt [mailto:dennisb () tetaworx de] 
Sent: Friday, May 05, 2006 2:41 AM
To: security-basics
Subject: How to secure a webserver in a DMZ

Hello,

my question seems to be a really basic one:

What are the security best practices to secure a linux-based Web/application
server, let's say Apache/Tomcat, with access to a database backend in a
corporate DMZ from a firewall point of view?


We want to make an internal database based application to be available for
road warriors using PDAs through a normal https-connection.

So we want to place the (presentation-)server into an DMZ behind our
firewall, allowing only tcp/443 (or even limited to "ENC-HTTP", using
applicationlevel features from i.e. Checkpoint FW) from the outside and only
relevant services, as i.e. read-only database connections, ldap-connections
for authentication from the DMZ through the firewall to the inside net.

The key is, that it is not possible to mirror or actively push all relevant
data from the core into the DMZ, so the DMZ-server has to open connections
actively from the DMZ to some core database and also authentication servers.

So there is a possible attack szenario, that the presentationserver could be
compromised and then the intruder could use the allowed connections into the
core.

How would you solve such a situation? Is it generally speaking ok for a
DMZ-located server to open connections into the core or should this never be
possible?

Regards,
-Dennis