Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DMZ design - Exchange, SQL, & DCOM

From: "Phil Cox" <Phil.Cox () SystemExperts com>
Date: Wed, 9 Feb 2000 21:59:51 -0800

Here's where you're wrong. If someone can hack the web server, they can
hack the SQL server, and in turn access everything on the internal
network.


You must be assuming that the Web server and the SQL server have not had any security configurations applied. If you 
can get at any resource on an internal network, through a properly configured Web server back ending to an SQL server, 
I would be impressed.


You don't want a web server accessing your SQL server on the internal net.


I know of many installations using this method, securely. It depends on your deployment, and what level of 
configuration you have done on the box. I would not summarily dismiss it.


If you implement all the funky things I've suggested above,
worst case, you'd need a firewall with 5 NICs:
1 - External
2 - Internal
3 - DMZ with web server
4 - DMZ with mail forwarder
5 - DMZ with SQL server (this may not be needed, as noted above)


This looks like a recipe for disaster. Remember the old KISS (Keep it Simple) rule. Complexity and misconfiguration has 
lead to more compromises that true system vulnerabilities. 

Phil
Previous By Date Next
Previous By Thread Next

Current thread: