secure LAMP architecture (MySQL in particular)

["List Subscriptions" <lists.canuck.eh () gmail com>]

What are the best practices for a LAMP architecture?  Basically I
believe that any servers that are going to be accessible from the
internet need to be in the DMZ.  Furthermore, any connections from the
DMZ servers to the internal network should require some form of
authentication.  What are the best practices concerning the MySQL DB
server portion of the architecture.  I don't believe MySQL should
reside on the same box as Apache.  Therefore should it reside on a
dedicated box in the DMZ or on the internal network?  If it resides on
the internal network what should be used to ensure
secure/authenticated communication?

Thanks in advance!