Re: DMZ traffic (was Please help ! need to check IIS volunrabilities.)

[miguel.dilaj () pharma novartis com]

Hi!

Well, what comes to mind is putting the DB in the DMZ (or in another DMZ 
with other restrictions, if needed) and allowing the clients in the LAN to 
connect to it for updates, etc.
I mentioned that connections starting from the DMZ to the LAN must be 
forbidden, but the opposite can be allowed of course!
The fact that the DB is in a minicomputer doesn't affect where you want to 
put it in the network, you don't need to have 2 and synchronize, just put 
it in the proper place for the use it's intended (and have backups ;-)
Cheers,

Miguel Dilaj (Nekromancer)






<sf_mail_sbm () yahoo com>
26/11/2004 15:03

 
        To:     security-basics () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Re: DMZ traffic (was Please help ! need to check IIS    volunrabilities.)



> > 5) Is the configuration of the DMZ "watertight"? (In particular: 
> > connections STARTING in the DMZ must be forbidden).
>
> How would you prevent this in a case were a webserver needs to access a 
production db in the Internal network for >queries/updates?
> You might propose to use another db in the DMZ, and perform regular 
synchronisations -  but what if the db is >being held on a minicomputer 
(cost issue))?