DMZ/Firewall question in professional environment

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
I was hired as a entry level network person with no experience, but am learning as I go so please bear with me. :)

Our company currently as an internal SQL server that is replicated to a server in the DMZ and then web requests for this data is against the DMZ SQL data and not the live server. This was put into place due to security concerns a long time ago, but now they want to change this.

My boss asked me how banks and other sensitive companies host live data on their websites without concern for security risks. I don't know what banks do since I've never worked at one, but I was wondering if anyone could tell me how they do it at their company?

Here is the proposed plan for our company:

Internet --> DMZ --> Web Server --> INTERNAL --> SQL Server

They want to get rid of the replication and punch holes in the internal firewall for the SQL port and have web users be able to get queries run on live data.

Any opinions?

Oh yeah, we're running a Cisco Pix as our firewall and there are already some things that myself as a noob see wrong with it so hopefully I can get that part cleaned up.

Thanks.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
It's normally done with the DB server in the DMZ. You try to eliminate as much as possible connections from the DMZ into the internal LAN.

Or more frequently, there is a separate DMZ called the database layer the holds all the DB servers. That way you can really lock down who talks to what. Or if you get really involved you have internal and external DMZs surrounded by two firewalls.

I would never have a web server making calls to an internal server.
 

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Originally posted by: spidey07
It's normally done with the DB server in the DMZ. You try to eliminate as much as possible connections from the DMZ into the internal LAN.

Or more frequently, there is a separate DMZ called the database layer the holds all the DB servers. That way you can really lock down who talks to what. Or if you get really involved you have internal and external DMZs surrounded by two firewalls.

I would never have a web server making calls to an internal server.

That's what I keep thinking, but nobody is really listening to me since I'm not experienced.

Is there any kind of documentation for this type of problem on the internet that I can research and give back to them? I can't seem to find much.

Also, the DB servers have extremely sensitive information (gov't data) and are connected to many other areas on our network.
 

skyking

Lifer
Nov 21, 2001
22,472
5,505
146
Originally posted by: cpals
Originally posted by: spidey07
It's normally done with the DB server in the DMZ. You try to eliminate as much as possible connections from the DMZ into the internal LAN.

Or more frequently, there is a separate DMZ called the database layer the holds all the DB servers. That way you can really lock down who talks to what. Or if you get really involved you have internal and external DMZs surrounded by two firewalls.

I would never have a web server making calls to an internal server.

That's what I keep thinking, but nobody is really listening to me since I'm not experienced.

Is there any kind of documentation for this type of problem on the internet that I can research and give back to them? I can't seem to find much.

Also, the DB servers have extremely sensitive information (gov't data) and are connected to many other areas on our network.

Your supervisor is playing with fire, and you are the match.

My boss asked me how banks and other sensitive companies host live data on their websites without concern for security risks.
By hiring experienced professionals who do nothing but security for those kinds of servers, and not much else. They live, breathe, walk and talk it. There are a couple of those guys here, but I won't name names. They might stop by and put in a couple of cents worth.
The bottom line is, don't make any change to the network at the whim of your boss without getting some professional consultation. It sounds like the data in the SQL server is very valuable and volatile if lost or compromised.
 

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Originally posted by: spidey07
It's normally done with the DB server in the DMZ. You try to eliminate as much as possible connections from the DMZ into the internal LAN.

Or more frequently, there is a separate DMZ called the database layer the holds all the DB servers. That way you can really lock down who talks to what. Or if you get really involved you have internal and external DMZs surrounded by two firewalls.

I would never have a web server making calls to an internal server.

I just spoke with our Embarq tech and that is exactly what he suggested a lot of companies do. Create two DMZs and have the database servers in one and the web internet web servers on the other. The specific IPs and ports will be open between the two DMZ and only a specific port on the inside network will be able to manage the database servers (for the DB Admins) and all other inside traffic will be blocked from accessing the DB DMZ since he also said most of the security breachs to databases and such are from the inside.

He also was using language that went above my head (layer 3, create the vlan but not the interface for the vlan - no IP?) and I was just wondering if there are any good resources to start learning this stuff? It really interests me and I'd like to learn it not only for my job but because it's fun.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
In all honesty, if this is sensitive information you really want to get a pro to do it for you.
 

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Originally posted by: spidey07
In all honesty, if this is sensitive information you really want to get a pro to do it for you.

It's for a law enforcement agency and while most of the information is public info, some of it needs to be kept private.

I'm still going to try and get a rough gameplan to follow to show my boss and then most likely if they approve, we'll be getting Embarq (they maintain all our Cisco equipment) to configure them.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Read this in it's entirety if you are really wanting to do this yourself.

http://www.cisco.com/application/pdf/en.../c649/ccmigration_09186a008014ee4e.pdf

The design, requirements gathering, planning and analysis is what the pros should be doing. That's the hard part. Configuring the gear is the easy part.

You'll need to understand every single application, traffic flow and path.
you'll need to develop a security policy
you'll have to think 5 years out
What threats are you trying to mitigate and at what level/layer?

There is so much more to this stuff than what you're making it out to be. Not trying to scare you, but there really is a lot of indepth work/due dilligence that needs to be done involving more than just IT. It takes years of experience and training to know how to do that and make good decisions.