Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: dmz question

From: George Capehart <capegeo () opengroup org>
Date: Sun, 05 Nov 2000 18:30:21 -0500
Hi Martin,

In situations when it is necessary to do transactions against legacy
data stores, we've partitioned the DMZ into layers with firewalls
between each layer and then, when necessary, used mutually authenticated
SSL connections through the inside firewall to internal databases and
transaction:

INTERNET
  |
  |
  V
Filtering router
  |
  |
  V
Outside Firewall (Outside boundary of DMZ) 
  |
  |
  V
PRESENTATION LAYER (httpd; static pages only and those in the DCE DFS)
  |
  |
  V
Firewall
  |
  |
  V
APPLICATION LAYER (CGI, servlets, etc. that implement business logic and
construct dynamic pages)
  |
  |
  V
Firewall
  |
  |
  V
DATA ACCESS LAYER (Operational Data Store, static data, servlets that
access back-end transactions)
  |
  |
  V
Inside Firewall (Inside boundary of the DMZ {the DMZ needs to be
protected from  INSIDERS, too, you see.  :-) }
  |
  |
  V
Internal network

Depending upon the complexity of what is implemented in the different
layers, the firewalls can be implemented as application proxies or
packet filtering firewalls.  In this case, the proxies would have to be
home-grown.  They're sometimes very useful, though, because they can do
some logging and, when run in paranoid mode, can even be honey-pots . .
. ;->

FWIW, Yet Another Way To Skin The Cat

"Ferrari, Martín" wrote:


Hi guys,
        I have the following architecture: INTERNET - FIREWALL - DMZ -
FIREWALL - INTERNAL NETWORK
        I can't decide whether to put my application server inside the DMZ
or inside the internal network. The app server will serve all secure content
and has access to the DB server.
        If I put the app server inside the DMZ zone and someone breaks into
the DMZ, s/he can have access to my App Server, and besides that, I have to
open a firewall path to my backend database from the DMZ.

        If I put the app server inside the internal network, I have to open
ports for the web server to communicate with it, and if someone breaks into
the app server, s/he will have access to the DB machine.
        Obviously, each machine is itself secured as best as possible.

        I'd like to have the best possible security scheme so that secure
content cannot be accessed in case someone breaks in.
        Does what I've said make any sense? Are there other considerations
to take into account?

Thank you very much.
                                                                Martín

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


--
George W. Capehart                            phone:  +1 (704) 277-4561
                                              fax:    +1 (704) 853-2624

"I'd rather have a bottle in front of me than a frontal lobotomy."
Anonymous

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: