Re: DMZ design - Exchange, SQL, & DCOM

[billp () rocketcash com]

oh cool a raise!!!

Just because your SQL server is in the DMZ does not mean that it is accessible
from the outside. Your outside firewall interface should only allow HTTP
traffic to the web server and SMTP traffic to the mail server. Thats it.
Nothing more. Your SQL server doesn't even need an internet routable IP
address. It doesn't even need IP. You could set it up to use IPX or Netbeui to
talk to the web server. (Do this only if your firewall will let you talk to the
SQL server from the inside using IPX or Netbeui) With databases more often than
not you need to be more concerned with database and asp security. For instance
can I pass SQL commands embedded in HTML? Hopefully not.

My reasoning behind not putting the the SQL server on the internal is that you
would have to punch a hole from the web server in the DMZ to the SQL server on
your LAN. Think of the 3rd interface (LAN interface) as your last line of
defense. It must have the smallest number of openings as possible. You will
already have one for mail, don't have one for SQL traffic if you don't need
one. It would probably not be the end of the world if you put the SQL server on
the inside, I just find that host on the internal LAN don't always get the same
security treatment as host in the DMZ or outside the firewall. You tend to get
lax because the server is just right there on the LAN.


One more thing. The book "Building Internet Firewalls" is NOT written by
Cheswick and Bellovin as a stated previously. "Building Internet Firewalls" is
written by Brent Chapman and Elizabeth Zwicky and is published by O'Reilly.


Michael Borkin wrote:

>     <snip>
>
>         Just my .02....
>
>     </snip>
>
> Bill,
>
> Thanks for your response and I think its worth a hell of a lot more than
> just .02 ... so look in your mail for the .83 that I am sending as a thank
> you.  I know I am overly generous but I really do appreciate you taking the
> time.
>
>     <snip>
>
>         I don't understand a lot of your comments about the 2+2
>     config.
>
>     </snip>
>
> Frankly, I didn't understand a lot of it either, which is why I brought up
> the question.  Most of what I was asking about is based on conflicting
> information from people that I have talked with.  The 2+2 comments were
> based on one of those conversations.  I feel that I only have enough
> knowledge to be truly dangerous in this area at the moment, and I am working
> very hard at trying to sort good information from bad.
>
>     <snip>
>
>         I think the other person you where speaking with is confused
>     about big holes in your firewall.
>
>     </snip>
>
> I have come to the conclusion that we were talking apples and oranges.  I
> was only looking at passing mail (as you were as well), while he was
> thinking about full use of exchange features to external users through the
> VPN.
>
>     <snip>
>
>         The web server should be in the DMZ as should the SQL
>     sever IMHO. The SQL server should NOT be accessable from
>     the outside at all. It should only talk to the web server and internal
>     clients. Then open a hole from the inside to the SQL server for
>     the SQL server traffic (port escapes at the moment). Add of
>     course open up HTTP and HTTPS from the inside to the DMZ.
>
>     </snip>
>
> Did you misspeak or am I just not understanding something?  If the SQL
> server is in the DMZ then isn't it generally accessable to the outside by
> that very fact?  If it is only talking to the web server and the internal
> machines; and you are opening ports for SQL, HTTP, & HTTPS; shouldn't the
> SQL server be in the more secure area of the network?
>
> Also, this is not an e-commerce site so I don't think there is a call for
> SSL or HTTPS.  Instead SQL is used to generate the .asp pages that make up
> the site (in fact a transaction server isn't even implemented to my
> knowledge, but I need to double check on that).  In your opinion is there
> any reason to use SSL on a non-commerce site such as the one that I am
> talking about?
>
> Finally, thank you for all the suggestions, especially about the stand-alone
> backup server for the DMZ.  I am still in the very first stage of this
> project and where/how to backup hadn't entered into my mind although it
> definitely should have.
>
> Mike