Re: DMZ Web Servers

[krymson () gmail com]

Typically only traffic necessary for your web server to talk to the database server is necessary. This would be done on 
the Network layer (tcp/udp ports), instead of MACs on the second layer. Allowing entire IPs to talk to each other is 
too much.

I find that it is easiest to turn your firewall or router all the way closed and log denies. As you attempt to use the 
database server from the web server, start opening up the IP/port combinations as necessary while remembering to also 
check the same on the return path.

If, like a previous responder, you'd be worried about SQL injection, then you'd be worried about something beyond your 
infrastructure layout.

(Fine, there are things you can put in between your web server and database server to alert on mischievous traffic 
between the two, but I posit that solution is rare and not served when you [should] have that traffic encrypted anyway.)


<- snip ->
I would like to know any suggestions or ideas how some infrastructures
currently setup their Web Servers in the DMZ and connect back to an
Oracle or MSSQL backend on the inside. I was thinking of just allowing
specific IPs and MACs, but any other help would be greatly appreciated.

Thanks!
Rico