Michael Borkin wrote: > > Should all traffic be passed back to the firewall which will have 3-nic > cards (1- Internet, 2- DMZ, 3- Internal network), or should the router > itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall > only have two nic cards (1- Internet, 2- Internal Network) as well? Use a 3-NIC firewall setup. Logging is better, and the firewall is capable of blocking and logging outgoing stuff from the DMZ that shouldn't be going out. Unknown outgoing traffic from the DMZ is a sure sign that it's been hacked. > E-mail is currently handled by an Exchange Server > [Use mail forwarder in DMZ or place Exchange Server in DMZ?] To have the Exchange server in the DMZ, you would have to punch so many holes through the firewall that it'd look like a swiss cheese. Also, you'd completely expose the Exchange server to the wrath of the presumably hacked web server. I'd recommend placing a mail forwarder with content screening capabilities in a SEPARATE DMZ, and the Exchange server on the internal network. > Next, is that the web server uses dynamic html for much of the website > content. This leverages both a SQL server and DCOM programming built > through Visual InterDev to deliver the content to the web server. This > is where it really goes over my head at the moment, if it was just SQL > server then I know to place it on the inside and let the calls from the > web server come back through the firewall. Here's where you're wrong. If someone can hack the web server, they can hack the SQL server, and in turn access everything on the internal network. You don't want a web server accessing your SQL server on the internal net. > I honestly don't understand enough to know where the DCOM part of the > process sits Me neither, you'd have to explain this more in-depth. > (although I am guessing it is on the web rather than the database server) Me too. I'll assume plain port 1433 communications from the web server to the SQL server. > [Open up lots of ports or place SQL server in DMZ] > (neither of which sounds like a good idea to me). Two choices: - Place a second SQL server in DMZ and have internal server mirror data to it once in a while. This will NOT work if the web server needs to update things on the SQL server and have it reflected in the internal SQL server. - Place the SQL server in a SEPARATE DMZ. Only use this server for things that the web server needs to access. If there are more tables used internally, place them on a separate internal server. If you implement all the funky things I've suggested above, worst case, you'd need a firewall with 5 NICs: 1 - External 2 - Internal 3 - DMZ with web server 4 - DMZ with mail forwarder 5 - DMZ with SQL server (this may not be needed, as noted above) Hope this helps /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olssonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:25 PDT