WebApp Sec: Re: DMZ and critical data

[sarbanha () tkckish co ir]

Hi Pedro,
   I believe VPN is more suitable solution for this problem, since the VPN seems to be a non feasible solution to your 
problem, you should concentrate on security holes of your web server. To be honest this is very difficult to achieve, 
the web application should be very strong and you should be aware of remote code execution vulnerabilities on your web 
server.

> From my point of view, the problem is not accessing the Database itself, the problem is that your web server has 
> remarkable access to your Database.
Let's suppose your web server is highly secured, What I have done in my company is to set up my database on the DMZ 
network with no default gateway, but of course I did a very strict configuration on my firewall for the database.

Another solution can be NAT, you can put your Database server on Intranet and do some NATting configuration along with 
port address translation to allow your web server gain access to the Database server.

I believe NAT solution is more secured than the former method...

I'm sure other guys with more experiences might have better solutions, so I'd follow this thread to learn more :-)

Very Kind Regards,
Mohammad-Ali 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using 
manual processes, or by using automated systems and tools. Watchfire's 
"Web Application Security: Automated Scanning or Manual Penetration 
Testing?" whitepaper examines a few vulnerability detection methods - 
specifically comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------