Firewall Wizards mailing list archives
securing DB access from the DMZ
From: wasabi_pea () hushmail com
Date: Wed, 20 Feb 2002 13:47:47 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have a Cisco PIX 520. One interface is a DMZ that contains a Windows NT 4.0 server running IIS 4.0. This webserver also runs an Internet banking software package called Q-Up from the S1 Corporation. This application has had a somewhat spotty security history. S1 outsources the Q-Up system, and their hosted banks were compromised at the end of last year with an IIS exploit, and I have other concerns about the design of the Q-Up product. But I'm stuck with it, at least for the present. The webserver has two network interfaces. One has a public IP that carries web traffic to and from the Internet. The other has a private address and carries database requests to and from the core banking database over a single TCP/IP port (as far as I know). The second NIC plugs into our core switch behind the firewall, to which our database server is also directly connected. The connection from the webserver to the switch makes me nervous. Here's the obligatory ASCII diagram of the portion of the network in question. I hope it displays correctly. {Internet} | | [Cisco router] | | [Cisco PIX 520]---DMZ---[IIS 4 Webserver] | (Second NIC) | | [Cisco Catalyst 6509]-------------+ | | +---------------[DB Server] The former administrator wasn't concerned with the second NIC, and claimed that it was impossible for traffic to route from one NIC to the other. I'm not sure I feel comfortable trusting that assumption to protect the database server from intrusion. However, the former administrator like the solution so much he carried it out on all the servers in the DMZ, so that they could be administered without going into the server room. I'm considering alternative designs and solutions. I think I'd like to cut the secondary connection to the switch and bring the database traffic back through the firewall to the inside network. I'm also considering a second firewall to create a more secure zone for the database server and other important assets, like the Human Resources server. That way I can further secure access to them from both external and internal users. Any other solutions or insights? I'm particularly interested in hearing from others who have experience securing the Q-Up product and its database communications. Thanks for reading so far, and for any advice you can provide. wasabi_pea P.S. I don't mind hearing marketing-type responses from those providing products as long as they give some concrete answers on how their product helps the situation. So please, no responses like, "Well, just buy our expensive gizmo and all your problems will disappear." :) Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjx0GZYYHHdhc2FiaV9wZWFAaHVzaG1haWwuY29tAAoJEEmCEPin5IgH Fg0An16uzs+Q5ebfhkvnDjtEjrNIYFRWAKCNNHTGMKm5YYLrAR5nCTo2Pxmkrw== =uAb/ -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- securing DB access from the DMZ wasabi_pea (Feb 20)
- Re: securing DB access from the DMZ Holger Kipp (Feb 21)
- Re: securing DB access from the DMZ Ryan Russell (Feb 21)
- <Possible follow-ups>
- RE: securing DB access from the DMZ Carl Friedberg (Feb 21)
- Re: Re: securing DB access from the DMZ wasabi_pea (Feb 21)
- RE: securing DB access from the DMZ Scott, Richard (Feb 27)