Network topology

Message

KermitTheFragger · Post by **KermitTheFragger** » Mon Jun 20, 2005 8:49 am

I have a small question regarding a network topology with a DMZ and I was hoping one of you guys could help me out. This is the situation:

Yeah I know, my ASCII art is bad

Code: Select all

The evil outside (aka Internet)
          |
          |
    Firewall----------DMZ (Public WWW)
          |
          |
      Inside
  (DB Server)

Now its obvious that your Public WWW and Mail server reside in the DMZ. However some webapplications running on the public WWW server in the DMZ need to access a database server, which you do not want to place in the DMZ (which would make it too vunarable to attack). So you need to access the internal DB server from the DMZ.

My questions is: What is the best way to accomplish this? I guess this is a pretty standard, so there must be some standard solution for it. I just couldnt find it.

A few solutions a came with up with are:
1) Punching a small hole in your firewall, allowing the dmz server to selectivly talk to a internal DB server.
2) Physicly connect the two servers with a second ethernet card (really bad idea, i know, but i was just brain storming

)

TIA

nevynxxx · Post by **nevynxxx** » Mon Jun 20, 2005 9:54 am

Usually you would open the ports on the firewall for the server in the DMZ to access the databse.

Depending on what sort of access you require I would also only allow that server to connect to the database in a read only fashion.

Note I wouldn't let the whole DMZ have access either, just the specific server.

think4urs11 · Post by **think4urs11** » Mon Jun 20, 2005 10:22 am

Annother possible way to go would be to

a) move the webserver from DMZ -> internal
b) install an reverse proxy in DMZ
c) adopt fw rules so that http(s) DMZ -> internal is allowed

HTH
T.

Lajasha · Post by **Lajasha** » Mon Jun 20, 2005 4:46 pm

Hrm well I'm kinda lost here as to what the problem is.

Your setup is as such:

Code: Select all

        Internet
             |
             |
             |
         Router
        (Firewall)
             |
        ---------------------
        |                   |
        |                   |
      WWW              DB Server
    (DMZ'ed)

If this is the case then the webserver would have no problem talking to the DB as it is on the same network, and as such it would have free access to each other. The firewall would have no effect as the database connections are happening behind it and not crossing it.

Hope this makes sense to you.

bigfunkymo · Post by **bigfunkymo** » Mon Jun 20, 2005 7:09 pm

Lajasha · Post by **Lajasha** » Mon Jun 20, 2005 7:17 pm

why would you VPN into your own network that you are already on?

think4urs11 · Post by **think4urs11** » Mon Jun 20, 2005 8:08 pm

@malatek: I think the OP has ha firewall box with three interfaces, one as dedicated DMZ, so the traffic will pass the firewall.

VPN internally can be needed if you need to have complete privacy for the complete traffic. Think about network sniffers and alike.

christsong84 · Post by **christsong84** » Mon Jun 20, 2005 8:55 pm

another way would be install a spare NIC into the DB server and theWeb server and give then a direct line between them?

think4urs11 · Post by **think4urs11** » Mon Jun 20, 2005 9:16 pm

christsong84 wrote:another way would be install a spare NIC into the DB server and theWeb server and give then a direct line between them?

and thereby have a direct non-firewalled connection between a DMZ host and an internal host? very bad idea...

KermitTheFragger · Post by **KermitTheFragger** » Tue Jun 21, 2005 8:02 am

Thanks for all the respones.

Sorry if i wasn't clear enough, ill try to clarify:

The Firewall has three interfaces: Outside, DMZ, Inside.

Code: Select all

The evil outside (aka Internet)
          |
          |
    Firewall----------DMZ (Public WWW)
          |
          |
      Inside
  (DB Server)

The inside interface is shielded from the DMZ, so there is no way you can reach the inside network from the internet and the DMZ, this is good. As we can see the database server is located in the inside network. Because it contains all kinds of sensitive date (Entire ERP) which you do not want to be exposed to the internet if the server is ever h4><0r3d

. But the WWW server needs some info from the db server, prices etc.

I guess this is a pretty common problem.

think4urs11 · Post by **think4urs11** » Tue Jun 21, 2005 9:01 am

as i said before, plus additions

a) add a 4th NIC in firewall
b) move the webserver from 'external' DMZ -> internal 'DMZ
c) install an reverse proxy in 'external' DMZ
d) move DB server (and maybe some others too) -> 'internal' DMZ
e) adopt fw rules so that http(s) 'external' DMZ -> internal 'DMZ' is allowed; adopt rules so that needed access from 'LAN' -> 'internal' DMZ is possible
f) use nonrouteable (RFC1918) addresses everywhere besides external interface
g) don't do NAT so none of the servers/clients can get out directly
h) ...

Depends on your personal level of paranoia (e.g. partial copy of DB server with just needed infos on annother machine)

KermitTheFragger · Post by **KermitTheFragger** » Tue Jun 21, 2005 9:45 am

Think4UrS11 wrote:as i said before, plus additions

a) add a 4th NIC in firewall
b) move the webserver from 'external' DMZ -> internal 'DMZ
c) install an reverse proxy in 'external' DMZ
d) move DB server (and maybe some others too) -> 'internal' DMZ
e) adopt fw rules so that http(s) 'external' DMZ -> internal 'DMZ' is allowed; adopt rules so that needed access from 'LAN' -> 'internal' DMZ is possible
f) use nonrouteable (RFC1918) addresses everywhere besides external interface
g) don't do NAT so none of the servers/clients can get out directly
h) ...

Option A would be the nicest I think, but for simplicities sake, ill go for options D and E for now.

Think4UrS11 wrote: Depends on your personal level of paranoia (e.g. partial copy of DB server with just needed infos on annother machine)

Are you trying to kill me? Yes I think you are, I can see it clearly now

I dont think a partial copy of the DB server is practical, you need to sync it, etc, etc.

sedorox · Post by **sedorox** » Wed Jun 22, 2005 3:29 pm

I think the best way to do this would be to add a nic to the DB and Web server, and assign them a unused rfc1918 address (so if your using 10.x, use 172.17/16) Then just point the access over that, and since the firewall doesn't know about it, and its direct between then two. The other option is (I'm assuming its a linux/bsd firewall since you have several ports, or a PIX or something) just add a firewall rule to allow the one port from the dmz to the internal, but not from external to internal.

nevynxxx · Post by **nevynxxx** » Thu Jun 23, 2005 12:27 pm

sedorox wrote:I think the best way to do this would be to add a nic to the DB and Web server, and assign them a unused rfc1918 address (so if your using 10.x, use 172.17/16) Then just point the access over that, and since the firewall doesn't know about it, and its direct between then two. The other option is (I'm assuming its a linux/bsd firewall since you have several ports, or a PIX or something) just add a firewall rule to allow the one port from the dmz to the internal, but not from external to internal.

The problemn with the direct link being, if they compromise the DMZZ machine, they have non-firewalled access to the internal network.

Hence the posts above saying do not do this!

The other simple way as you say is to allow the port the web server needs to connect to the database through the firewall to/from the DMZ only.

At the same time, making access from that IP read only if possible.