Re: DMZ design - Exchange, SQL, & DCOM

From: Bill Pennington (billpat_private)
Date: Sun Feb 06 2000 - 11:49:39 PST

Next message: Josef Pojsl: "Re: Nokia/Checkpoint firewall"

Previous message: arkat_private: "Re: Firewalls - ITSEC Rating?"
Maybe in reply to: Michael Borkin: "DMZ design - Exchange, SQL, & DCOM"
Next in thread: Mikael Olsson: "Re: DMZ design - Exchange, SQL, & DCOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The firewall doesn't know anything about what goes on in the DMZ. The firewall
only knows about what tries to pass through its interfaces. What happens inside
the DMZ or inside your LAN is completely unknown to the firewall unless that
traffic tries to move through one of the firewall interfaces.

Passing of non-ip protocols depends on your firewall. In this case since you
need access from the inside of your network to the SQL server then you might
need to run IP. As far is attacks from the internet are concerned, most routers
only pass IP traffic. The likely hood of tunneling through a non IP protocol is
very very slim.

If you make your SQL server not accessable from the internet you have only
removed half the security risk. Most SQL servers are attacked at the
application level. See
http://packetstorm.securify.com/0002-exploits/rfp2k01.txt for a good example of
this.

You might also want to look at
http://www.cert.org/security-improvement/modules/m08.html for a good firewall
deployment overview.

BTW what firewall are you going to be using?

Michael Borkin wrote:

>     <snip>
>
>         Just because your SQL server is in the DMZ does not mean
>         that it is accessible from the outside. Your outside firewall
>         interface should only allow HTTP traffic to the web server
>         and SMTP traffic to the mail server. Thats it. Nothing more.
>         Your SQL server doesn't even need an internet routable IP
>         address. It doesn't even need IP. You could set it up to use
>         IPX or Netbeui to talk to the web server. (Do this only if your
>         firewall will let you talk to the SQL server from the inside using
>         IPX or Netbeui)
>
>     </snip>
>
> I am assuming you mean that the firewall allows IPX or Netbeui inside the
> DMZ.  I never have considered that.  Would that be allowed through the
> rules?  Would it open the servers up to in another way, such as tunneling
> those protocols in, if I was to allow IPX or Netbeui?
>
>     <snip>
>
>         One more thing. The book "Building Internet Firewalls" is NOT
>         written by Cheswick and Bellovin as a stated previously. "Building
>         Internet Firewalls" is written by Brent Chapman and Elizabeth
>         Zwicky and is published by O'Reilly.
>
>     </snip>
>
> Thanks for the reference as well... I haven't had time to check it out as of
> yet but it does sound like exactly the kind of book I need to read.
>
> Mike

Next message: Josef Pojsl: "Re: Nokia/Checkpoint firewall"
Previous message: arkat_private: "Re: Firewalls - ITSEC Rating?"
Maybe in reply to: Michael Borkin: "DMZ design - Exchange, SQL, & DCOM"
Next in thread: Mikael Olsson: "Re: DMZ design - Exchange, SQL, & DCOM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:22 PDT