I'd like to host redundant internet accessible (NATed) web servers behind a f/w on the same standard ports. If I only have 1 publicly available address do i have to use a reverse proxy or load balancer? If I can get more public address space (and not NAT) do I have to subnet that space to make it routable?
Our network admins are adamant that it is insecure for our web servers, which are hosted in the DMZ, to access the DB server behind our firewall. To get round the problem, we access the data via web services or WCF. I feel that this is an unnecessary performance burden that could be eliminated if the web server could access the DB directly.
The reasons i have been given is that of a hacker was able to login to the web server they could then access the DB. Is it possible to open the ports only for IIS or is it not possible to be that specific? If we can lock it down to just IIS, could this be easily comprised by the hacker?
I've read various posts on the internet but i can't seem to find a definite answer.
Al
I'm looking at setting up a DMZ behind a Cisco ASA that will contain a large number of HTTP front-end load balancers and SSL offload services - over 100 IPs, concentrated on a smaller number of hosts.
In the past I've kept all the hosts on RFC1918 private IPs, and added static mappings (IP-by-IP) for each service I'd normally expose in a DMZ. This has gotten annoying as we've started adding additional DMZ IPs at a fast enough rate that it's becoming annoying setting each one up individually. I'd like to change it so that an entire DMZ subnet is setup to allow HTTP and HTTPS from outside --> dmz, so that the load balancers can just grab new IPs as necessary without updating the ASA configuration every time.
What I'm wondering now is whether it makes sense to have the DMZ be on a RFC1918 subnet and use a static NAT across the entire subnet, or whether I should just let the DMZ be my allocation of external IPs directly, and rely solely on access-lists and identity NAT/NAT exemption.
Some crude ASCII artwork:
Example using direct outside IP addresses:
Internet ---> ASA ---> Internal (10.1.0.0/16)
|
+-----> DMZ (1.2.3.0/24)
Example using NATed IP addresses:
Internet ---> ASA ---> Internal (10.1.0.0/16)
|
(1.2.3.0/24) +-----> DMZ (10.99.0.0/24)
The advantage I see for using the NATed address is portability - I don't need to renumber my internal DMZ if my upstream provider and allocation changes. The downside is complexity - now I have to deal with inside vs. outside IP addresses within my own network, etc. In your experience, which setup works better?
We currently have our web server in a DMZ. The web server cannot see anything within the internal network, but the internal network can see the web server. How safe would it be to punch a hole in the firewall between the DMZ and the internal network to only one web server in the intranet? We are working on something that will be interfacing with several of our back-office applications (which are all on one server) and it would be so much easier to do this project if we could communicate directly with the IBM i server holding this data (via web services).
From my understanding (and I don't know brands), we have one firewall for the DMZ with a different external IP from our primary IP with another firewall. Another firewall is between the web server and the intranet.
So something like:
Web Server <==== Firewall ===== Intranet
| |
| |
Firewall Firewall
| |
| |
Internet IP1 Internet IP2
This should be a very basic question and I tried to research it and couldn't find a solid answer.
Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO).
Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN.
So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.