Re: SQL 2000 and web server (IIS)

Ron wrote:
Warren Brunk wrote:
If I was you...
I would put the IIS machine in the DMZ and the SQL Server on the LAN.
SQL Server is communicated on port 1433.

IIS server should be outside AD and the SQL server should be on the domain.

On your firewall I would only allow the MAC address of the iis machine
through on 1433.

Of course there are thousands of ways of doing it but this is pretty
standard practice at large corporations that I have worked with.

thanks,


Is port 1433 all that we need to allow to let SQL (in the LAN) and IIS
(in DMZ) "talk"? I'm also leaning towards the split configuration but
unsure about it. If I must open too many ports between LAN-DMZ for the
two to communicate, might as well place both inside LAN or in the DMZ.

I use Watchguard firewall. I don't think there's an option to restrict
connection by MAC addr. I can restrict it by a single IP address, range
of IP, network (x.x.x.x/x) etc but can't do it by MAC addr.

Thanks for your reply.

I agree with the other posts, from the three scenarios the #3 is the
best. In which case the SQL should be on the domain but not as a DC.

However, I would suggest another scenario, more secure and more
convenient if you use the webserver for internal applications.

Create two distinct DMZs. On the Watchguard it would mean three zones,
say Red, Orange and Green (I am not sure if Watchguard uses colors or
name for the zones).

The Green zone is your Lan.

The Orange zone is a DMZ. Put IIS and SQL Server in this zone, and join
both to the domain (but don't put a DC role in this zone). Thanks to
GPOs, a domain member server can be far more secure than a standalone
server.

Give full access from the Green to the Orange, but allow only
communication to the DC from the Orange to the Green. Unless you have
an internal database which has to be fed some data from SQL Server and
a "pull" model is a no-go for you. Don't allow internet traffic to this
zone.

The Red zone is also a DMZ. Put a Apache web server in this zone, and
create a reverse proxy so this web server gets all its contents from
the IIS server in the Orange zone. Open the Red zone to internet
traffic, and allow communication between Apache and IIS only between
the Red and Orange zones (not the other way around). The machine for
Apache does not have to be a big server. Of course you should make sure
it's reliable (mirrored disks).

You can run Apache on Windows, and there is plenty of information on
how to create a reverse proxy on the Apache website. Basically you
simply need a rule matching all the traffic (/) to the other web
server, which is a 3 or 4 lines configuration.

With this setup you get a lot of benefits:

1) The Red zone is a first line of defense, which means your IIS and
SQL are fairly protected, and your LAN is very secure. If at some point
you suspect that you are under some kind of internet attack, you can
cut the communication between the Red and Orange zones, which won't
prevent you from working on the IIS or SQL servers until things are
cleared up.

2) The Apache server can act as a buffer. When you need to do some
maintenance on your web application, you can put a temporary web page
on Apache while you reboot IIS. So your customers will get a nice
message instead of a "page not found".

3) You can use your IIS server to host an intranet for your company.
Also websites and databases are much easier to maintain since they are
completely accessible from the LAN.

4) From the internet you will appear as you have an Apache web server,
not IIS, making your site a less attractive target for worms and
hackers. Even if you have ASP or ASPX extensions on your web pages
scanners will see Apache, and most exploits against IIS won't work (as
long as they are not URL-based exploits). You can add a IDS on Apache
as well to filter out exploits.

5) The Apache server can act as a load balancer, should you need one at
some point.

It is not much difficult to do this kind of setup and it's definitely
worth the tiny investment. And if someday you have a security audit
from a customer or partner (for compliance or any other reason) you'll
get big kudos for such a secure layout.

Regards,
lucm

.

Relevant Pages
Loading