Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DMZ design - Exchange, SQL, & DCOM

From: Mikael Olsson <mikael.olsson () enternet se>
Date: Sat, 05 Feb 2000 19:47:06 +0100


Michael Borkin wrote:


Should all traffic be passed back to the firewall which will have 3-nic
cards (1- Internet, 2- DMZ, 3- Internal network), or should the router
itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall
only have two nic cards (1- Internet, 2- Internal Network) as well?  


Use a 3-NIC firewall setup. Logging is better, and the firewall
is capable of blocking and logging outgoing stuff from the DMZ
that shouldn't be going out. Unknown outgoing traffic from the DMZ
is a sure sign that it's been hacked.


E-mail is currently handled by an Exchange Server
[Use mail forwarder in DMZ or place Exchange Server in DMZ?]


To have the Exchange server in the DMZ, you would have to punch 
so many holes through the firewall that it'd look like a swiss
cheese. Also, you'd completely expose the Exchange server to the 
wrath of the presumably hacked web server.

I'd recommend placing a mail forwarder with content screening
capabilities in a SEPARATE DMZ, and the Exchange server on
the internal network.


Next, is that the web server uses dynamic html for much of the website
content.  This leverages both a SQL server and DCOM programming built
through Visual InterDev to deliver the content to the web server.  This
is where it really goes over my head at the moment, if it was just SQL
server then I know to place it on the inside and let the calls from the
web server come back through the firewall.  


Here's where you're wrong. If someone can hack the web server, they can
hack the SQL server, and in turn access everything on the internal
network.
You don't want a web server accessing your SQL server on the internal net.


I honestly don't understand enough to know where the DCOM part of the
process sits 


Me neither, you'd have to explain this more in-depth. 


(although I am guessing it is on the web rather than the database server)


Me too. I'll assume plain port 1433 communications from the web server
to the SQL server.


[Open up lots of ports or place SQL server in DMZ]
(neither of which sounds like a good idea to me).  


Two choices:

- Place a second SQL server in DMZ and have internal server mirror
  data to it once in a while. This will NOT work if the web server
  needs to update things on the SQL server and have it reflected
  in the internal SQL server.

- Place the SQL server in a SEPARATE DMZ. Only use this server 
  for things that the web server needs to access. If there are 
  more tables used internally, place them on a separate internal
  server.


If you implement all the funky things I've suggested above,
worst case, you'd need a firewall with 5 NICs:
1 - External
2 - Internal
3 - DMZ with web server
4 - DMZ with mail forwarder
5 - DMZ with SQL server (this may not be needed, as noted above)

Hope this helps
/Mike


-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se
Previous By Date Next
Previous By Thread Next

Current thread: