PaulDotCom mailing list archives

Re: MS-SQL in the DMZ

From: "Hembrow, Chris" <chris.hembrow () interserve com>
Date: Thu, 19 May 2011 14:22:48 +0100

My preferred setup tends to be 3 tiered:

    DMZ - Reverse Proxy (e.g. Microsoft TMG, Apache, F5), permits HTTP/S connections only to:
App LAN - Application/Web servers, which can only make DB connections to:
DB LAN - Database server

With firewalls between all networks.  I don't trust apps to have unrestricted access to databases, whether they are in 
the DMZ or now.

Quite often there will also be a management LAN, with an authentication server (i.e. AD) which needs connections into 
all the other networks.

Chris

From: pauldotcom-bounces () pdc-mail pauldotcom com [mailto:pauldotcom-bounces () pdc-mail pauldotcom com] On Behalf Of 
Dan McGinn-Combs
Sent: 18 May 2011 15:36
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] MS-SQL in the DMZ

I think the issue is putting your DATA in the DMZ. Basically, from my experience, you put stuff you can afford to lose 
because Internet resources hit on DMZ hosts all the time. If your web server gets compromised, you can format/reinstall 
it from scratch. No big deal. If your database server gets compromised, you potentially lose your data. That could be a 
big deal.


On Wed, May 18, 2011 at 9:15 AM, Juan Cortes <juanccortester () gmail com<mailto:juanccortester () gmail com>> wrote:

Thanks Michael.

So let me get this straight. there shouldnt be any comms from my sql server in the dmz to my internal network.. 
correct? which i agree.
But comms to the sqlserver in the dmz from my internal network is ok? i am pushing to change the default port just for 
some comfort.

thanks in advance
On Tue, May 17, 2011 at 3:34 PM, Michael Dickey <lonervamp () gmail com<mailto:lonervamp () gmail com>> wrote:

One point of having a DMZ network is to isolate systems that accept untrusted connections from those that do not. A 
front-end web server accepts untrusted connections, but the SQL DB server does not; at least not directly. So if you 
have some other way to isolate the communication between those boxes so that one only talks to the other via something 
like a SQL port, then I guess feel free.

Otherwise, the easiest best practice is to just say SQL DBs in the DMZ is a bad idea. If your web server gets popped, 
maybe even marginally, it could open up easy attacks into your SQL box.

Of course, this is a whole new discussion if:
- you're a small shop and/or might consider internal users as untrusted, but can't afford so many separate networks
- you consider SQL owned if your front end web server is owned, which is a certain non-layered way to look at it
On Tue, May 17, 2011 at 3:08 PM, Juan Cortes <juanccortester () gmail com<mailto:juanccortester () gmail com>> wrote:
Hope all is well,

Can anyone point or recommend a some resources for best practices for SQL DBs in the DMZ

thanks

--
Juan C.
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com<http://pauldotcom.com/>


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



--
Juan C. Cortes
773-531-0637<tel:773-531-0637>
Chicago, Il 60632

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com<mailto:Pauldotcom () mail pauldotcom com>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



--
Dan McGinn-Combs
dgcombs () gmail com<mailto:dgcombs () gmail com>
Google Voice: +1 404 492 7532
Peachtree City, Georgia USA


This e-mail has been scanned for all viruses by WebSense MailControl.www.websense.com

Click here<https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==> to report thisemail as spam.


"This email and any file attachments do not form a contract unless expressly stated. They may contain privileged, 
confidential and/or copyright information. If you are not the intended recipient or the service provider responsible 
for delivering this please delete the material from any computer and return to the sender at once; do not use, disclose 
or reproduce its contents. We do not accept liability for any error or omission in the message arising from corruption 
of, delay in or interference with, its transmission. We reserve the right to monitor email communications through 
normal internal and external networks. We believe but do not warrant that the email and the file attachments are virus 
free." 

Interservefm Ltd.  Registered in England, Number : 2820560.
Registered Office: Capital Tower, 91 Waterloo Road, London SE1 8RT.

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

MS-SQL in the DMZ Juan Cortes (May 17)
- Re: MS-SQL in the DMZ Michael Dickey (May 17)
  - Re: MS-SQL in the DMZ Juan Cortes (May 18)
    - Re: MS-SQL in the DMZ Dan McGinn-Combs (May 18)
    - Re: MS-SQL in the DMZ Hembrow, Chris (May 19)
    - Re: MS-SQL in the DMZ Chesmore, Michael [DAS] (May 20)
    - Re: MS-SQL in the DMZ Dave (May 20)