Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

basics logo Security Basics mailing list archives

Re: DMZ Web Servers
From: Adriel Desautels <adriel () netragard com>
Date: Mon, 08 Sep 2008 12:41:40 -0400
Lafosse,
         Suppose that your DMZ is security zone 1, your LAN is zone 2 and the
internet is zone 0. By doing what you propose you are literally allowing
zone 0 to access zone 2. This reduces the security of zone 2 to the
security of zone 0 with respect to trust. Now someone from zone 0 can
gain access to zone 2 via SQL Injection, etc, in theory.

        Consider creating a database to live in zone 1 and keeping your
existing database alive in zone 2 and isolated. Does that make sense?

        

Btw, Dave, you did sound insulting. This is security basics not 3r33t
security ninjas. ;]
        

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


David Glosser wrote:

The fact that you are asking this question means you aren't qualified to do it yourself. 
I'm not being insulting or condescending, only realistic. 
 
With sql injection, Cross-Site Scripting, and other issues,  I would hire an expert to properly design and manage the 
infrastucture 24x7 for you. You don't want your site hacked or your back-end database compromised at 3:00 am one 
weekend. 
 
Make sure the design includes two layers of firewalls,  regular vulnerability scanning/penetration testing, IDS/IPS, 
and if possible Web Application firewall. 
 
 
 
----- Original Message ----

From: "Lafosse, Ricardo" <rlafosse () sfwmd gov>
To: security-basics () securityfocus com
Sent: Friday, September 5, 2008 6:29:24 AM
Subject: DMZ Web Servers

Hello All,

I would like to know any suggestions or ideas how some infrastructures
currently setup their Web Servers in the DMZ and connect back to an
Oracle or MSSQL backend on the inside. I was thinking of just allowing
specific IPs and MACs, but any other help would be greatly appreciated.

Thanks!
Rico

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]