[EMAIL PROTECTED] wrote:
>
> I've got a database server that has to be accessible by my internal LAN
> users and by outside users via the Internet.
Does it have to be accessible directly, or is there some sort of glue
process which (already|potentially) acts as a go-between? A lot of
sites use server-side processing attached to a web server to mediate
access to a database, for several reasons including added security. If
that doesn't make sense in your case, maybe some other sort of
intervening process could act as a proxy to the database?
> Where is the most secure place
> to put the database server... on the DMZ or on the LAN?
Conventional wisdom says that no data at all should exist in the DMZ.
Just processes which govern the movement of data through it, and as
little as possible of those.
If an intruder compromises a DMZ machine in that case, all they get is
access to your gateway processes -- firewalling rules, proxy server
configuration information -- not to your repositories. That's still bad
if you don't know they're there, they can still eavesdrop you for
example, but you get a chance to notice them and punt them out or take
other action. If the store is in the DMZ, it's (potentially) all over
as soon as they break in.
> If I have a server
> that is accessible by internal and external users am I defeating the purpose
> of a DMZ?
That depends on what you mean by "access". Well, philosophically
speaking the answer is "yes," you do lose some measure of security with
every user or class of users for whom you provide access to any object.
But <platitude>security is a balancing act between safety and
functionality.</platitude> You don't have to give everybody the same
kind of access, for example; there are also other ways to govern access
besides firewalls, and particularly in the case of a database some sort
of application-level security is almost always called for.
HTH,
-m
--
~~~Michael Jinks, IB // Technical Entity // Saecos Corporation~~~~
"mobility is overrated. consider the noble cactus!"
-- Rev. Blair Christensen
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
