Firewalls: Re: Firewall Architecture for Web, Database

Firewalls
(April 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewall Architecture for Web, Database
From:	Greg Taylor <gtaylor @ ntyne . demon . co . uk>
Date:	Wed, 2 Apr 1997 14:39:14 GMT
To:	Firewalls @ greatcircle . com
Reply-to:	gtaylor @ ntyne . demon . co . uk

My fourpenthworth (and my first mailing - no flames please!! :-)  )

John Kerr wrote:
> 
> A customer of ours has asked about setting up a security architecture
> with the Firewall being the main focus.  They would like to allow access
> into their Database inside of  the Firewall opposed to having a Database
> Server that would sit outside the Firewall.  They seem to be okay with
> having a Web server sitting outside the Firewall, so I don't see that as
> a problem.  The problem that they are trying to avoid is having to copy
> or replicate the data to the Database Server (too time consuming). What
> are the  dangers with adding a third interface to the Firewall and
> putting the Database on a seperate DMZ.  It would look like this:
> 
>                         Internet
>                             |
>                             |           ----------      ---------
>                             |           -Database-      - Web   -
>                             |           ----------      ---------
>                         ---------            |               |
>                         -  FW   ------------------------------
>                         ---------
>                             |
>                             |
>                             |
>                         Internal
>                         Network
> 

I have been working on a similar problem trying to form an outer "enemy" zone, a 
secure inner zone but to add sufficent security to the devices in the DMZ (WWW 
server, DNS) to avoid denial of service attacks etc.

Initial idea was a multiple NIC firewall but this adds considerably to the 
complexity.

Plan 2 is to have two firewalls as follows:

Internet --->  Firewall A ---> DMZ ------> Firewall B --> Internal Network
                                |
                                |
                            SHIVA MODEMS
                                |
                            Defender
                                |
                                |
                            Own remote users

Firewall A permits only WWW (Port 80) and SMTP (Port 24).  Firewall B permits 
WWW (for our Intranet), SMTP, FTP and Telnet (we are shifting all own 
contractors' remote access through the same firewall).

There are also screening routers in front of Firewall A and between the DMZ and 
the SHIVA Modems.  We are still messing with the actual firewall software 
choice.  Likelihood is a pair of Gauntlets but also being considered is 
Gauntlet/TIS Toolkit on B and Firewall-1 on A.  Much of this decision is based 
on existing knowledge.  We are using Unix because we have lots of experience and 
other Unix systems.  I will say though that we have also considered using NT on 
Firewall A simply to provide a greater variety of targets to be attacked but 
this is on hold pending getting further experience and training.

Hope this helps.

Greg.

--

Project management is easy, deliver it late, spend lots of money, make sure it 
doesn't work.  At least I think that's the normal way!!!

Greg Taylor MBCS, FIAP                             gtaylor @
 ntyne .
 demon .
 co .
 uk
Open Systems Programme Leader
North Tyneside Council

Indexed By Date	Previous:	Any UDP traffic between client/server of PB or Sybase From: ronnieng @ glink . net . hk
Indexed By Date	Next:	Re: Patch for TIS From: steve . gailey @ nomura . co . uk
Indexed By Thread	Previous:	Re: Firewall Architecture for Web, Database From: " Martin Khoo" <markhoo @ hotmail . com>
Indexed By Thread	Next:	Re: Firewall Architecture for Web, Database From: Greg Taylor <gtaylor @ ntyne . demon . co . uk>