Re: Re: securing DB access from the DMZ

[wasabi_pea () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm going to try and paraphrase all the responses I've recieved so far.  Thanks for your advice, it has been very 
helpful.

Everyone agrees the current design is a bad idea.

Carl and Ryan stressed the importance of a well-defined security policy.  Our existing policy is overly broad and 
outdated, and there's no perimiter procedures.  It's one of my goals to get these documents into useful shape.

Carl asked if there were multiple VLANS set up on the Catalyst switch.  There are, but they were put in place as a 
network-segmentation convenience and not as a security measure.  There is a 'server VLAN', but it isn't specific to the 
database server; it's shared between various servers behind the perimiter.  I don't want to rely on VLANs for security, 
though they might help a little.

Holger and Ryan recommend hardening the servers as much as possible.  I agree that the web server is the weak link, but 
unfortunately, I'm stuck with IIS 4.0 on Windows NT, as that's the platform required by the Internet banking software.  
I've hardened the operating system and web server on the Internet banking server following the Microsoft and other 
hardening guides.  The web server is running a host/network hybrid IDS sensor.  The database server likely needs some 
attention, but I'll need to find some help as I'm not much of a DBA.

If I can find somewhere to test them, I may try adding either Microsoft's URLScan or Eeye's similar software to the web 
server.  I've also thought about putting a reverse proxy in front of the web server, but I don't have much experience 
in that area yet.

Holger proposed an interesing design in which the second network interfaces remain, but no longer connect the the core 
switch.  Rather they connect to the proposed second firewall.  Here it is:

>          {Internet}
>               |
>               |
>        [Cisco router]
>               |
>               |           (A)
>        [Cisco PIX 520]---DMZ---[IIS 4 Webserver]
>               |           |      (Second NIC)
>               |           |           |
>               |         [Server 2]    |
>               |                |      |
>     [Cisco Catalyst 6509]      | (B)  |
>               |                |      |
>               |                |      |
>             (LAN)------------[State-Based FW]---[DB Server]
>                                      |   |
>                                      |   +------[Server 2]
>                                      |  (C)
>                                      +----------[Server 3]
>
> Depending on security considerations, one
> can use one DMZ per Server instead of
> just one DMZ (A). The same applies to the
> connections that are needed to access
> internal servers (B) and the backend servers
> itselv (C).

I agree with him that the secondary network interface might simplify the firewall rules necessary to get the Internet 
banking traffic to the database server.  But by keeping everything in his design but those connections, the traffic 
would come back through the Internet-facing firewall and through the core switch, where an existing network IDS sensor 
could get a look at the traffic.  Can anyone see any other benefits or drawbacks of his design?

Thanks again for all your help!

a humble (and hopefully increasingly clueful) wasabi_pea






Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjx1aBwYHHdhc2FiaV9wZWFAaHVzaG1haWwuY29tAAoJEEmCEPin5IgH
19gAn36pOEymj0GUK1JNyCmc9vzvkZFNAKCzh0nPfoK6Qoep9m5wWWECXH57Yw==
=4aWS
-----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards