Firewall Wizards mailing list archives

RE: dmz question

From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Sat, 4 Nov 2000 23:38:02 -0600

If feasible, don't allow ANY connection back into the INTERNAL NETWORK. Is
it possible to put a "read-only" copy of the DB in the DMZ along with the
app server (maybe even on the app server, if you can't afford a separate
box)? Then refresh the read-only copy from a job initiated on the DB server
on your internal network. Then, if your read-only copy of the DB gets
hacked, just refresh from the "secured" copy.  If you have to propagate
writes back to the internal DB, then things get a bit more complicated.

Just another way to approach it, if you have the luxury of read-only copy.

Jeff

-----Original Message-----
From: "Ferrari, Martín"
To: 'firewall-wizards () nfr com'
Sent: 11/2/00 12:29 PM
Subject: [fw-wiz] dmz question

Hi guys,
        I have the following architecture: INTERNET - FIREWALL - DMZ -
FIREWALL - INTERNAL NETWORK
        I can't decide whether to put my application server inside the
DMZ
or inside the internal network. The app server will serve all secure
content
and has access to the DB server.
        If I put the app server inside the DMZ zone and someone breaks
into
the DMZ, s/he can have access to my App Server, and besides that, I have
to
open a firewall path to my backend database from the DMZ.

        If I put the app server inside the internal network, I have to
open
ports for the web server to communicate with it, and if someone breaks
into
the app server, s/he will have access to the DB machine.
        Obviously, each machine is itself secured as best as possible.

        I'd like to have the best possible security scheme so that
secure
content cannot be accessed in case someone breaks in.
        Does what I've said make any sense? Are there other
considerations
to take into account?

Thank you very much.
                                                                Martín

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

dmz question Ferrari, Martín (Nov 05)
- Re: dmz question George Capehart (Nov 08)
- Re: dmz question Balázs Nagy (Nov 08)
  - Re: dmz question Joe Dauncey (Nov 09)
- <Possible follow-ups>
- RE: dmz question Behm, Jeffrey L. (Nov 06)