Thanks Michael. So let me get this straight. there shouldnt be any comms from my sql server in the dmz to my internal network.. correct? which i agree. But comms to the sqlserver in the dmz from my internal network is ok? i am pushing to change the default port just for some comfort.
thanks in advance On Tue, May 17, 2011 at 3:34 PM, Michael Dickey <[email protected]> wrote: > One point of having a DMZ network is to isolate systems that accept > untrusted connections from those that do not. A front-end web server accepts > untrusted connections, but the SQL DB server does not; at least not > directly. So if you have some other way to isolate the communication between > those boxes so that one only talks to the other via something like a SQL > port, then I guess feel free. > > Otherwise, the easiest best practice is to just say SQL DBs in the DMZ is a > bad idea. If your web server gets popped, maybe even marginally, it could > open up easy attacks into your SQL box. > > Of course, this is a whole new discussion if: > - you're a small shop and/or might consider internal users as untrusted, > but can't afford so many separate networks > - you consider SQL owned if your front end web server is owned, which is a > certain non-layered way to look at it > > On Tue, May 17, 2011 at 3:08 PM, Juan Cortes <[email protected]>wrote: > >> Hope all is well, >> >> Can anyone point or recommend a some resources for best practices for SQL >> DBs in the DMZ >> >> thanks >> >> -- >> Juan C. >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Juan C. Cortes 773-531-0637 Chicago, Il 60632
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
