PaulDotCom mailing list archives

Re: MS-SQL in the DMZ

From: Michael Dickey <lonervamp () gmail com>
Date: Tue, 17 May 2011 15:34:05 -0500

One point of having a DMZ network is to isolate systems that accept
untrusted connections from those that do not. A front-end web server accepts
untrusted connections, but the SQL DB server does not; at least not
directly. So if you have some other way to isolate the communication between
those boxes so that one only talks to the other via something like a SQL
port, then I guess feel free.

Otherwise, the easiest best practice is to just say SQL DBs in the DMZ is a
bad idea. If your web server gets popped, maybe even marginally, it could
open up easy attacks into your SQL box.

Of course, this is a whole new discussion if:
- you're a small shop and/or might consider internal users as untrusted, but
can't afford so many separate networks
- you consider SQL owned if your front end web server is owned, which is a
certain non-layered way to look at it

On Tue, May 17, 2011 at 3:08 PM, Juan Cortes <juanccortester () gmail com>wrote:

Hope all is well,

Can anyone point or recommend a some resources for best practices for SQL
DBs in the DMZ

thanks

--
Juan C.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

MS-SQL in the DMZ Juan Cortes (May 17)
- Re: MS-SQL in the DMZ Michael Dickey (May 17)
  - Re: MS-SQL in the DMZ Juan Cortes (May 18)
    - Re: MS-SQL in the DMZ Dan McGinn-Combs (May 18)
    - Re: MS-SQL in the DMZ Hembrow, Chris (May 19)
    - Re: MS-SQL in the DMZ Chesmore, Michael [DAS] (May 20)
    - Re: MS-SQL in the DMZ Dave (May 20)