RE: Database Security

BorisP_Maillistdude Sat, 22 Sep 2001 00:18:33 -0700
Do NAT. Use a private range for your DMZ. Create a single-port
static-mapping for your webserver. Deny any direct accesses to the DB
servers. I'd even block outgoing traffic from the DB servers. Then put an
IDScanner into the DMZ.

           DMZ Net-ID: 192.168.100.0
      External Net-ID: 200.200.200.0
      External Router: 200.200.200.1
External Webserver IP: 200.200.200.3
Internal Webserver IP: 192.168.100.10

Some commands to put in:

route OUTSIDE 0 0 200.200.200.1 1
nat (DMZ,OUTSIDE) 1 192.168.100.0 255.255.255.0 0 0
global (outside) 1 200.200.200.2 netmask 255.255.255.0
static (DMZ,OUTSIDE) TCP 200.200.200.3 www 192.168.100.10 www netmask
255.255.255.255 0 0
access-group ACL_DMZ in interface DMZ
access-group ACL_OUT in interface OUTSIDE

access-list ACL_OUT permit tcp any host 200.200.200.3 eq www
access-list ACL_OUT permit icmp any any
access-list ACL_DMZ permit tcp 192.168.100.10 255.255.255.255 any
access-list ACL_DMZ permit icmp any any
icmp permit any unreachable outside
xlate 00:05:00

Ooops... I gotta leave. Hope this helps. And don't forget... Pix can't do
anything about worms itself if the ruleset permits the traffic. Have a look
on IDS.

--------------------------------------
 Boris Pavalec
 Gesch?ftsf�hrer, VRP
 Network / System Engineer MCSE & MCT

 HCS - Highend Computing Systems AG
 Hohlstrasse 216
 CH-8004 Z�rich

 Phone: + 41-1 240 29 50
 Fax:   + 41-1 240 29 59
 eMail: [EMAIL PROTECTED]
--------------------------------------

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kais Al-Essa
Sent: Tuesday, September 18, 2001 5:17 PM
To: [EMAIL PROTECTED]
Subject: Database Security


Hello all,

We have a scenario where on the DMZ we have an IIS Server hosting the main
web site. In the internal LAN, we have a farm of database servers.

We are developing web-based applications that pull and display to authorized
visitors (from the IIS Server on the DMZ) some information from the internal
databases.

We are using Cisco PIX. What would be the best setup scenario to achieve
this from all aspects ? We are more interested on whats the setup to be done
on the PIX to secure this access as much as possible and deny anyone who
might be able to break into the IIS code, access to the internal databases.

Any tips or hints are welcome ! :-)

Regards..
---
Kais Al-Essa, Operations & Technical Services Manager
SAHARA NETWORK, Dammam, Saudi Arabia
http://www.sahara.net.sa/ - Tel: +(9663) 832 2299 - Fax: +(9663) 834 5652


_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
RE: Database Security

Reply via email to
