securing a database from DMZ traffic - Firewalls

This is a discussion on securing a database from DMZ traffic - Firewalls ; We are in the process of creating a DMZ for our web servers. Currently our web servers have sit on our internal network. Moving the web servers to a DMZ is the easy part, but what I am not sure ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: securing a database from DMZ traffic

  1. securing a database from DMZ traffic

    We are in the process of creating a DMZ for our web servers. Currently
    our web servers have sit on our internal network. Moving the web
    servers to a DMZ is the easy part, but what I am not sure about is how
    to secure our database. I do not want it to sit the database on the
    DMZ, but I also do not want to allow my DMZ to access the internal
    network to hit the database. Does any one have a suggestion that i can
    lookinto.
    We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
    suggestions would be appreciated

    Thanks
    CR


  2. Re: securing a database from DMZ traffic

    In article <1184938705.421349.96740@n60g2000hse.googlegroups.c om>,
    crussell18@gmail.com says...
    > We are in the process of creating a DMZ for our web servers. Currently
    > our web servers have sit on our internal network. Moving the web
    > servers to a DMZ is the easy part, but what I am not sure about is how
    > to secure our database. I do not want it to sit the database on the
    > DMZ, but I also do not want to allow my DMZ to access the internal
    > network to hit the database. Does any one have a suggestion that i can
    > lookinto.
    > We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
    > suggestions would be appreciated


    A typical database/web layout has the database servers in the LAN with
    the Web Servers in the DMZ. You open the port(s) needed for database
    communications between the Web Servers and the Database servers through
    the firewall DMZ>LAN, and only to those IP/Ports. You do not use Windows
    Authentication in your database/web application, you would use SQL
    Authentication.

    If you network is based on Microsoft platforms you want to make sure
    that your web servers are NOT part of your active directory structure
    and that you only open the Database communication ports from the web
    servers to them.

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    spam999free@rrohio.com (remove 999 for proper email address)

  3. Re: securing a database from DMZ traffic

    crussell18@gmail.com schrieb:
    > We are in the process of creating a DMZ for our web servers. Currently
    > our web servers have sit on our internal network. Moving the web
    > servers to a DMZ is the easy part, but what I am not sure about is how
    > to secure our database. I do not want it to sit the database on the
    > DMZ, but I also do not want to allow my DMZ to access the internal
    > network to hit the database. Does any one have a suggestion that i can
    > lookinto.
    > We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
    > suggestions would be appreciated
    >
    > Thanks
    > CR
    >

    Hi,
    Access from the DMZ to the internal Lan should never be directly allowed.
    I recommend to create 4 security levels on the ASA:
    0= outside
    30= DMZ
    60= Database
    100= inside

    30 and 60 shall be on different physical interfaces of the ASA, but if
    you have only 3 interfaces you can also use VLANs for DMZ and Database;
    or upgrade your ASA. Then create the corresponding rules.

    bye

    Christoph

+ Reply to Thread