Your architecture should look more like this:
Internet
|
|
perimeter firewall<-->Amber Zone (DMZ)
|
|
Internal network
Your firewall rules should look like:
Source(s) Destination(s) Service(s) Permit/Deny
----------------------------------------------------------------------------
---------------
Req'd source(s) DMZWeb Req'd Port (80?) Permit
DMZWeb SybaseDB Req'd Port(s) Permit
Any Any Any
Deny
Unless you want to push database to a DMZ machine and put all of that
information at risk real-time.
----- Original Message -----
From: Marcus Noveix <noveixat_private>
To: <firewall-wizardsat_private>
Sent: Monday, January 10, 2000 9:25 PM
Subject: Internal Database server access from DMZ host
> Hi
>
> I am new to this list and hoping for some positive feedback on the
following
> scenario.
>
> I am trying to implement a E-Commerce infrastucture currently which has
the
> following structure :
>
> Internet <-->perimeter firewall<-->Amber Zone<-->Internal network.
>
> There is a WEB server in the Amber zone needs connection to a Sybase
Server
> using Sybase Openclient to do queries on the DB(WEB server INITIATING
> connection to the Sybase server).
>
> If this Sybase Server was to be in the INTERNAL network what sort of
> security implications does this pose.
>
> I will make sure the security on the DB server is tightened and the server
> is hardened but besides doing this, what other secure ways are
> there of doing this.
>
> I have read a lot of literature on firewalls and so far gathered that no
> INITIAL connection should be accepted from Amber Zone hosts to INTERNAL
> Network
>
> Thanks in advance
>
> N
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:32 PDT