PaulDotCom mailing list archives

Re: MS-SQL in the DMZ

From: Juan Cortes <juanccortester () gmail com>
Date: Wed, 18 May 2011 08:15:12 -0500

Thanks Michael.

So let me get this straight. there shouldnt be any comms from my sql server
in the dmz to my internal network.. correct? which i agree.
But comms to the sqlserver in the dmz from my internal network is ok? i am
pushing to change the default port just for some comfort.

thanks in advance

On Tue, May 17, 2011 at 3:34 PM, Michael Dickey <lonervamp () gmail com> wrote:

One point of having a DMZ network is to isolate systems that accept
untrusted connections from those that do not. A front-end web server accepts
untrusted connections, but the SQL DB server does not; at least not
directly. So if you have some other way to isolate the communication between
those boxes so that one only talks to the other via something like a SQL
port, then I guess feel free.

Otherwise, the easiest best practice is to just say SQL DBs in the DMZ is a
bad idea. If your web server gets popped, maybe even marginally, it could
open up easy attacks into your SQL box.

Of course, this is a whole new discussion if:
- you're a small shop and/or might consider internal users as untrusted,
but can't afford so many separate networks
- you consider SQL owned if your front end web server is owned, which is a
certain non-layered way to look at it

On Tue, May 17, 2011 at 3:08 PM, Juan Cortes <juanccortester () gmail com>wrote:

Hope all is well,

Can anyone point or recommend a some resources for best practices for SQL
DBs in the DMZ

thanks

--
Juan C.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Juan C. Cortes
773-531-0637
Chicago, Il 60632

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

MS-SQL in the DMZ Juan Cortes (May 17)
- Re: MS-SQL in the DMZ Michael Dickey (May 17)
  - Re: MS-SQL in the DMZ Juan Cortes (May 18)
    - Re: MS-SQL in the DMZ Dan McGinn-Combs (May 18)
    - Re: MS-SQL in the DMZ Hembrow, Chris (May 19)
    - Re: MS-SQL in the DMZ Chesmore, Michael [DAS] (May 20)
    - Re: MS-SQL in the DMZ Dave (May 20)