Firewall Wizards mailing list archives
Re: Re: securing DB access from the DMZ
From: wasabi_pea () hushmail com
Date: Thu, 21 Feb 2002 13:35:04 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm going to try and paraphrase all the responses I've recieved so far. Thanks for your advice, it has been very helpful. Everyone agrees the current design is a bad idea. Carl and Ryan stressed the importance of a well-defined security policy. Our existing policy is overly broad and outdated, and there's no perimiter procedures. It's one of my goals to get these documents into useful shape. Carl asked if there were multiple VLANS set up on the Catalyst switch. There are, but they were put in place as a network-segmentation convenience and not as a security measure. There is a 'server VLAN', but it isn't specific to the database server; it's shared between various servers behind the perimiter. I don't want to rely on VLANs for security, though they might help a little. Holger and Ryan recommend hardening the servers as much as possible. I agree that the web server is the weak link, but unfortunately, I'm stuck with IIS 4.0 on Windows NT, as that's the platform required by the Internet banking software. I've hardened the operating system and web server on the Internet banking server following the Microsoft and other hardening guides. The web server is running a host/network hybrid IDS sensor. The database server likely needs some attention, but I'll need to find some help as I'm not much of a DBA. If I can find somewhere to test them, I may try adding either Microsoft's URLScan or Eeye's similar software to the web server. I've also thought about putting a reverse proxy in front of the web server, but I don't have much experience in that area yet. Holger proposed an interesing design in which the second network interfaces remain, but no longer connect the the core switch. Rather they connect to the proposed second firewall. Here it is:
{Internet} | | [Cisco router] | | (A) [Cisco PIX 520]---DMZ---[IIS 4 Webserver] | | (Second NIC) | | | | [Server 2] | | | | [Cisco Catalyst 6509] | (B) | | | | | | | (LAN)------------[State-Based FW]---[DB Server] | | | +------[Server 2] | (C) +----------[Server 3] Depending on security considerations, one can use one DMZ per Server instead of just one DMZ (A). The same applies to the connections that are needed to access internal servers (B) and the backend servers itselv (C).
I agree with him that the secondary network interface might simplify the firewall rules necessary to get the Internet banking traffic to the database server. But by keeping everything in his design but those connections, the traffic would come back through the Internet-facing firewall and through the core switch, where an existing network IDS sensor could get a look at the traffic. Can anyone see any other benefits or drawbacks of his design? Thanks again for all your help! a humble (and hopefully increasingly clueful) wasabi_pea Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wl8EARECAB8FAjx1aBwYHHdhc2FiaV9wZWFAaHVzaG1haWwuY29tAAoJEEmCEPin5IgH 19gAn36pOEymj0GUK1JNyCmc9vzvkZFNAKCzh0nPfoK6Qoep9m5wWWECXH57Yw== =4aWS -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- securing DB access from the DMZ wasabi_pea (Feb 20)
- Re: securing DB access from the DMZ Holger Kipp (Feb 21)
- Re: securing DB access from the DMZ Ryan Russell (Feb 21)
- <Possible follow-ups>
- RE: securing DB access from the DMZ Carl Friedberg (Feb 21)
- Re: Re: securing DB access from the DMZ wasabi_pea (Feb 21)
- RE: securing DB access from the DMZ Scott, Richard (Feb 27)