Firewall Wizards mailing list archives
Re: dmz question
From: Joe Dauncey <toothbrushhead () yahoo com>
Date: Tue, 07 Nov 2000 22:39:59 +0000
Martin, It sort of seems that you already have your design and you are trying to fit your requirement into it. I would have thought it would be better to design according to your requirement. Having said that it may be that the infrastructure is shared in some way. If the App server is required to be accessed from the Internet then it should be placed on the DMZ. You then only allow ports/protocols through the first firewall that are absolutely required, and only directly to the servers required. You then put filters on the inner firewall to only allow queries from the app server to the DB server. This means that it is not possible to go straight from the Internet to the DB server. In fact it should only be possible to access the DB server from the app on the app server. I think that this is a classical design for where you want to protect the DB from Internet. An alternative is where you have the DB server inside the Intranet, and then on a periodic basis you copy the whole server to one that sits on the DMZ. This way if the DB server is compromised then your master copy is not impacted. This is all based on the assumption that the app server is required to be accessed from the Internet and is feeding data to/from the DB server. Hope that helps, Joe Balázs Nagy wrote:
Ferrari, Martín wrote: > I have the following architecture: INTERNET - FIREWALL - DMZ - > FIREWALL - INTERNAL NETWORK > I can't decide whether to put my application server inside the DMZ > or inside the internal network. The app server will serve all secure content > and has access to the DB server. > If I put the app server inside the DMZ zone and someone breaks into > the DMZ, s/he can have access to my App Server, and besides that, I have to > open a firewall path to my backend database from the DMZ. I would suggest looking at the following: Firewall | | | | +-+-Switch--+------------+ <= VLAN | | ^ ^ | | | | | | | DMZ port | | | DMZ::web ZONE::DBase ZONE port Set up the VLAN so that only DMZ::web can access ZONE::DBase Gurus: please let me know if this won't work. Thanks. -- Cheers, Balázs _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- dmz question Ferrari, Martín (Nov 05)
- Re: dmz question George Capehart (Nov 08)
- Re: dmz question Balázs Nagy (Nov 08)
- Re: dmz question Joe Dauncey (Nov 09)
- <Possible follow-ups>
- RE: dmz question Behm, Jeffrey L. (Nov 06)