Re: DMZ design

Ansgar -59cobalt- Wiechers <usenet-2005@planetcobalt.net> wrote:

>sc_wizard29@hotmail.com wrote:
>> I would like to install a web-server on a DMZ. This web-server will
>> access a database hosted on the private network. In a book called "The
>> Practice of Network Security", the 2 following DMZ design are
>> suggested :
>>
>> Design #1 (private network and DMZ connected to same FW) :
>>
>> internet -> FW -> private network
>> |
>> +--> DMZ
>>
>> Design #2 (2 FW) :
>>
>> internet -> FW -> DMZ -> FW -> private network.
>>
>> The author says that "The most notable problem with design #1 is that
>> there is no way to securely update information on the servers. There
>> are also no facilities in place to secure the database transactions
>> between the web server and the database server, or any of the backend
>> servers".
>
>The mere network topology doesn't support this opinion in any possible
>way.
>
>> I'm afraid I don't understand what the author means... if I use design
>> #1 and if the FW is correctly configured, what can prevent me from
>> securing the database transactions ?
>
>You don't want *any* host in the DMZ to be able to establish connections
>into your private network, since that would break the DMZ. Put the
>backend servers into the DMZ (or a separate second DMZ). Replicate
>(push!) the relevant data from your backend servers to servers in the
>DMZ. But *never* *ever* allow connections from the DMZ to the internal
>network.

In reality this is next to impossible in any real world scenario.
What this would mean is near 100% of your servers would be DMZ'd. If
you put SMTP servers in the DMZ they MUST reach in and deliver mail to
exchange/notes. DMZ these and you open more problems then you solve
because RPC uses 10s of thousands of high ports as service ports.

>cu
>59cobalt
Received on Sat Dec 3 04:18:46 2005