John Kerr wrote:
>
> A customer of ours has asked about setting up a security architecture
> with the Firewall being the main focus. They would like to allow access
> into their Database inside of the Firewall opposed to having a Database
> Server that would sit outside the Firewall. They seem to be okay with
> having a Web server sitting outside the Firewall, so I don't see that as
> a problem. The problem that they are trying to avoid is having to copy
> or replicate the data to the Database Server (too time consuming). What
> are the dangers with adding a third interface to the Firewall and
> putting the Database on a seperate DMZ. It would look like this:
>
> Internet
> |
> | ---------- ---------
> | -Database- - Web -
> | ---------- ---------
> --------- | |
> - FW ------------------------------
> ---------
> |
> |
> |
> Internal
> Network
>
> Rules would be put on the firewall to only allow external access from
> the internet to the DMZ. We would not allow any access from the DMZ
> into the internal Network.
> Any suggestions would be appreciated.
> Thanks
> John
Hi,
I'm faced with similar requirements, and I'm evaluating alternatives. My
analysis, so far, of this situation:
1. The database server and the Web server are open to attack, wherever
you place them, because you want to allow external users to access them.
2. The rationale for placing these servers in the DMZ is that even if
they are compromised, the rest of your network is still protected by the
firewall; the damage is contained to these servers.
3. You can use the firewall to protect your Web & Database servers by
configuring it to reject all traffic between the Internet and the DMZ,
except HTTP browser traffic with the Web Server. The DataBase Server
should be accessible from the Web Server and from the Internal network.
Perhaps you could increase protection to the database server by placing
it on a fourth network segment connected to the firewall.
Internet
|
---------- | ---------
-Database- | - Web -
---------- | ---------
| --------- |
----------------- FW ------------------------
---------
|
|
|
Internal
Network
4. You still have to protect your Web server - e.g., against malicious
CGI scripts. I think TIS (http://www.tis.com) have a product for Web
server protection.
5. You still have to protect your database server - e.g., you need to
ensure that users, especially from the Web server, who access the
database server cannot access data they are not authorized to access.
I would be interested in further views/analysis/security holes/solutions
on this topic.
Regards
--
Prabhakar D. Mallya
Infosys Technologies, Bangalore, India
http://www.inf.com/
e-mail: pdmallya @
inf .
com
phone: 91-80-8520261 xtn 1156
fax: 91-80-8520348
References:
|
|
