Re: DMZ and critical data

["Ken Adler - QDSP, CISSP, PMP, CISA" <ken.adler () gmail com>]

 Note that if this is an application dealing with credit card account
numbers the DB must not be in the DMZ but rather separated from the
web server with a fw in between.  This is a requirement for the
Payment Card Industry Data Security Standard (see www.pcifile.com  or
visa.com/cisp )


Ken
> On 9 Jul 2006 07:52:39 -0000, sarbanha () tkckish co ir  <sarbanha () tkckish co ir> wrote:
> >  Hi Pedro,
> >
> >    I believe VPN is more suitable solution for this problem, since the VPN seems to be a non feasible solution to 
> your problem, you should concentrate on security holes of your web server. To be honest this is very difficult to achieve, 
> the web application should be very strong and you should be aware of remote code execution vulnerabilities on your web 
> server.
> >
> >
> > From my point of view, the problem is not accessing the Database itself, the problem is that your web server has 
> remarkable access to your Database.
> >
> >
> > Let's suppose your web server is highly secured, What I have done in my company is to set up my database on the DMZ 
> network with no default gateway, but of course I did a very strict configuration on my firewall for the database.
> >
> >
> > Another solution can be NAT, you can put your Database server on Intranet and do some NATting configuration along 
> with port address translation to allow your web server gain access to the Database server.
> >
> >
> > I believe NAT solution is more secured than the former method...
> >
> >
> > I'm sure other guys with more experiences might have better solutions, so I'd follow this thread to learn more :-)
> >
> >
> > Very Kind Regards,
> >
> > Mohammad-Ali
> >
> > -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> >
> > Securing a web application goes far beyond testing the application using
> > manual processes, or by using automated systems and tools. Watchfire's
> > "Web Application Security: Automated Scanning or Manual Penetration
> > Testing?" whitepaper examines a few vulnerability detection methods -
> > specifically comparing and contrasting manual penetration testing with
> > automated scanning tools. Download it today!
> >
> > https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
> > --------------------------------------------------------------------------
> >
> >
>
>
>
>
> --
> Ken Adler - Visa QDSP, CISSP, PMP, CISA, ITSM
> 510-290-5806 (cell)
> Ken () adler net
>
> Check out  pciFile.com  and pciFile.ORG  !



--
Ken Adler - Visa QDSP, CISSP, PMP, CISA, ITSM
510-290-5806 (cell)
Ken () adler net

Check out  pciFile.com  and pciFile.ORG !

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using 
manual processes, or by using automated systems and tools. Watchfire's 
"Web Application Security: Automated Scanning or Manual Penetration 
Testing?" whitepaper examines a few vulnerability detection methods - 
specifically comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------