I think the issue is putting your DATA in the DMZ. Basically, from my experience, you put stuff you can afford to lose because Internet resources hit on DMZ hosts all the time. If your web server gets compromised, you can format/reinstall it from scratch. No big deal. If your database server gets compromised, you potentially lose your data. That could be a big deal.
On Wed, May 18, 2011 at 9:15 AM, Juan Cortes <[email protected]>wrote: > Thanks Michael. > > So let me get this straight. there shouldnt be any comms from my sql server > in the dmz to my internal network.. correct? which i agree. > But comms to the sqlserver in the dmz from my internal network is ok? i am > pushing to change the default port just for some comfort. > > thanks in advance > > On Tue, May 17, 2011 at 3:34 PM, Michael Dickey <[email protected]>wrote: > >> One point of having a DMZ network is to isolate systems that accept >> untrusted connections from those that do not. A front-end web server accepts >> untrusted connections, but the SQL DB server does not; at least not >> directly. So if you have some other way to isolate the communication between >> those boxes so that one only talks to the other via something like a SQL >> port, then I guess feel free. >> >> Otherwise, the easiest best practice is to just say SQL DBs in the DMZ is >> a bad idea. If your web server gets popped, maybe even marginally, it could >> open up easy attacks into your SQL box. >> >> Of course, this is a whole new discussion if: >> - you're a small shop and/or might consider internal users as untrusted, >> but can't afford so many separate networks >> - you consider SQL owned if your front end web server is owned, which is a >> certain non-layered way to look at it >> >> On Tue, May 17, 2011 at 3:08 PM, Juan Cortes <[email protected]>wrote: >> >>> Hope all is well, >>> >>> Can anyone point or recommend a some resources for best practices for SQL >>> DBs in the DMZ >>> >>> thanks >>> >>> -- >>> Juan C. >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > Juan C. Cortes > 773-531-0637 > Chicago, Il 60632 > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Dan McGinn-Combs [email protected] Google Voice: +1 404 492 7532 Peachtree City, Georgia USA
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
