Re: DMZ design

"Leythos" <void@nowhere.lan> wrote in message
news:dh3jf.126591$Hs.74605@tornado.ohiordc.rr.com...
> In article <3v3o3nF13n3meU1@individual.net>, usenet-2005
> @planetcobalt.net says...
>> However, you still don't want any server in the DMZ to be able to
>> initiate connections to hosts inside tha LAN.
>
> Again, it's not going to hold in a web to database design. You should
> never put the database server in the DMZ and you would never put the web
> server in the LAN - so, you punch a IP:PORT hole through the DMZ>LAN for
> 1433 between the exact two IP, and then your web app can access the
> MSSQL Server in the protected LAN. Port 1433 isn't going to allow access
> to Enterprise manager, and as long as your DB Server is patched, then
> allowing 1433 from the DMZ to LAN vial IP:PORT>IP:PORT won't compromise
> the network.
>

You can put the DB server and th DB App server in separate DMZ's though, and
apply IPS to the in-band traffic to filter out attacks for the few ports and
protocols you have to allow in and out of each zone -- an IPS is going to
update faster than Microsoft patches.

Though this takes a more powerful firewall.

-Russ.
Received on Sat Dec 3 04:18:53 2005