Re: dmz question

[Joe Dauncey <toothbrushhead () yahoo com>]

Martin,

It sort of seems that you already have your design and you are trying to fit your
requirement into it. I would have thought it would be better to design according to
your requirement. Having said that it may be that the infrastructure is shared in
some way.

If the App server is required to be accessed from the Internet then it should be
placed on the DMZ. You then only allow ports/protocols through the first firewall
that are absolutely required, and only directly to the servers required. You then
put filters on the inner firewall to only allow queries from the app server to the
DB server. This means that it is not possible to go straight from the Internet to
the DB server. In fact it should only be possible to access the DB server from the
app on the app server. I think that this is a classical design for where you want
to protect the DB from Internet.

An alternative is where you have the DB server inside the Intranet, and then on a
periodic basis you copy the whole server to one that sits on the DMZ. This way if
the DB server is compromised then your master copy is not impacted.

This is all based on the assumption that the app server is required to be accessed
from the Internet and is feeding data to/from the DB server.

Hope that helps,
Joe

Balázs Nagy wrote:

> Ferrari, Martín wrote:
>
>  >      I have the following architecture: INTERNET - FIREWALL - DMZ -
>  > FIREWALL - INTERNAL NETWORK
>  >      I can't decide whether to put my application server inside the DMZ
>  > or inside the internal network. The app server will serve all secure content
>  > and has access to the DB server.
>  >      If I put the app server inside the DMZ zone and someone breaks into
>  > the DMZ, s/he can have access to my App Server, and besides that, I have to
>  > open a firewall path to my backend database from the DMZ.
>
> I would suggest looking at the following:
>
> Firewall
> | |
> | |
> +-+-Switch--+------------+ <= VLAN
>              |            |
> ^ ^         |            |
> | |         |            |
> | DMZ port  |            |
> |          DMZ::web     ZONE::DBase
> ZONE port
>
> Set up the VLAN so that only DMZ::web can access ZONE::DBase
>
> Gurus: please let me know if this won't work. Thanks.
> --
> Cheers,
>         Balázs
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards




_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards