Home / server / Questions / 280145
Accepted
Beep beep
Asked: 2011-06-14 11:28:55 +0800 CST

To DMZ or not-DMZ on new web site

  • 772

We are about to release a web application for our users, and are trying to figure out if others put their servers in a DMZ, or just keep it off the domain behind the firewall and greatly restrict access via firewall rules? Has anyone here found any cons to just restricting access via firewall rules and O/S perms?

Note that this site is an ASP.NET MVC front-end with SQL Server back-end.

Also - this is an HR/Finance application, and the database back-end contains our most valuable data. From a security perspective, I'd rather give the world root access to intranet than allow access to the database server. As a result, my original plan was to skip using a DMZ and only opening up port 443 on the firewall to the web server ... this seemed no worse than putting the db server on the DMZ with the web server.

sql-server security dmz asp.net-mvc

4 Answers

  1. Best Answer

    Typically, the configuration is like this:

    Internet facing servers connected to Firewall's DMZ Port
Trusted servers (SQL, AD, etc) connected to Firewall's Trusted/LAN Port
Internet connected to Firewall's WAN port

    Then, the Firewall is configured to route between those subnets, and allow access according to the ACLs you define.

    • 4

  2. I do usually not use a DMZ, but only a firewall. The account that the IIS application pool is running on is already restricted.

    • 1

  3. What you're asking is what's the best practice?

    It doesn't matter where things are placed it comes down to one thing. i.e. How you've secured it.

    One firewall rule could open everything up, or close everything down. Maybe you need to look at it from a different perspective.

    Do you trust your employees enough to have direct access to those servers without a firewall restricting access between them. Same goes for internet. If that's the case put them both in a DMZ.

    Personally I like them on the same subnet without a firewall between them because it ensures maximum performance. But, if the web server was compromised it leave the DB server more open than if it was on the safe LAN side. Are their other services need to be available on the DB server from the LAN side like RDP? depending on where it sits you might have to open ports up from lan to DMZ to allow access etc.

    • 1

  4. Golden Rule: If it can be reached from the Internet and there is no practical reason not to do so - put it in the DMZ. The idea being that if the machine is compromised it should not be possible to reach the internal network. In effect, it's kind of like a double firewall.

    • 0