The firewall doesn't know anything about what goes on in the DMZ. The firewall only knows about what tries to pass through its interfaces. What happens inside the DMZ or inside your LAN is completely unknown to the firewall unless that traffic tries to move through one of the firewall interfaces. Passing of non-ip protocols depends on your firewall. In this case since you need access from the inside of your network to the SQL server then you might need to run IP. As far is attacks from the internet are concerned, most routers only pass IP traffic. The likely hood of tunneling through a non IP protocol is very very slim. If you make your SQL server not accessable from the internet you have only removed half the security risk. Most SQL servers are attacked at the application level. See http://packetstorm.securify.com/0002-exploits/rfp2k01.txt for a good example of this. You might also want to look at http://www.cert.org/security-improvement/modules/m08.html for a good firewall deployment overview. BTW what firewall are you going to be using? Michael Borkin wrote: > <snip> > > Just because your SQL server is in the DMZ does not mean > that it is accessible from the outside. Your outside firewall > interface should only allow HTTP traffic to the web server > and SMTP traffic to the mail server. Thats it. Nothing more. > Your SQL server doesn't even need an internet routable IP > address. It doesn't even need IP. You could set it up to use > IPX or Netbeui to talk to the web server. (Do this only if your > firewall will let you talk to the SQL server from the inside using > IPX or Netbeui) > > </snip> > > I am assuming you mean that the firewall allows IPX or Netbeui inside the > DMZ. I never have considered that. Would that be allowed through the > rules? Would it open the servers up to in another way, such as tunneling > those protocols in, if I was to allow IPX or Netbeui? > > <snip> > > One more thing. The book "Building Internet Firewalls" is NOT > written by Cheswick and Bellovin as a stated previously. "Building > Internet Firewalls" is written by Brent Chapman and Elizabeth > Zwicky and is published by O'Reilly. > > </snip> > > Thanks for the reference as well... I haven't had time to check it out as of > yet but it does sound like exactly the kind of book I need to read. > > Mike
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:22 PDT