3

If I had two firewalls, I could put a web server within a DMZ and then with the second firewall restrict the access to the DB server.

However, If I only have one firewall, how could I accomplish this? Because if I use the following scheme the web server would have full access to the DB server, right?

 Internet -- Router -- Firewall -- Switch -- DB
                                     |
                                    Web
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • 1
    You may check the answers already provided in the page [link](http://security.stackexchange.com/questions/4968/what-is-best-practice-for-separation-of-trusted-zones-from-a-dmz-with-a-single-f?rq=1), ie putting the firewall in place of the switch on your diagram so it can control all flows between Internet, the Web server and the database server. – WhiteWinterWolf Nov 06 '13 at 16:32

2 Answers2

4

My base assumption is that your DB server does not need to be accessible from the Internet but the Web server does. If that assumption is invalid then adjust the rest as makes sense.

At minimum your firewall should be configured to limit outside traffic from your DB server. Modern firewalls are stateful, meaning they will detect outgoing communication from the devices inside and permit the return traffic. This will allow to you implement a blanket deny to your DB. You should also draw out a traffic profile of your DB server for internal communication. What kinds of access does it need? Do you use SSH or RDP to manage the box? Is the web server the only system that needs to hit the database port directly? What kind of monitoring are you doing? Does snmpd need to be open, are you using Grid (for Oracle) or MySQL Workbench to manage the database? Think about all of these and fill out the following table:

| Source Address | Port | Protocol | Purpose |
| -------------- | ---- | -------- | ------- |
| 192.168.1.1    | 3306 | TCP      | MySQL DB connection |

Once you have mapped out all the data connections use them to build our the host firewall on your DB server.

Depending on the technical capabilities of your network gear some data restrictions can be enforced on the switch itself. What's available and how to do it will be dependent on the vendor, model software revision, etc. You'll probably need your network engineer to research this one for you.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • Yes, the web server needs to access the DB server. What I understand by your answer and GZBK's comment, is that the switch isn't doing anything here, is it? – The Illusive Man Nov 06 '13 at 17:10
  • @yzT: Everything until my last paragraph assumes the switch is a simple frame pusher. In truth, it depends on the switch. – Scott Pack Nov 06 '13 at 17:13
  • I think the problem is that I have never worked with enterprise devices, and now my boss suddenly want me to design and implement all his infrastructure lol (both network design and servers configuration). Can I connect devices to a firewall and they be able to communicate to each other? I thought a router or switch was needed for this purpose. – The Illusive Man Nov 06 '13 at 17:29
3

Modern firewalls almost always come with more than two interfaces. A Fortigate 40c, for instance, one of the cheapest enterprise-class security appliances on the market, meant for SOHO applications, comes with 7! (Five of them can be configured into a switch... it actually comes configured like this from the factory! You can re-conf it into standalone interfaces, tho.)

Each interface can be firewalled from the others - you control what kind of traffic, and from whom, can traverse from one interface to the other. That's the firewall's job. More, most modern firewalls also do a credible job as a router... you can set up separate networks for your DMZ and your database server, and route between them, while filtering traffic.

So the answer is, buy a firewall based on the expected traffic load, and dedicate one port to the internet, one port to the DMZ, and one port to your DB server, set up your firewall policy and routing to control traffic between them.

It may be tempting to try to separate out the traffic using VLANs on the switch, but this is a bad idea if it's your security strategy - there are ways to traverse VLANs.

RI Swamp Yankee
  • 3,471
  • 2
  • 13
  • 9
  • So I wouldn't need a router either if I use that kind of firewall? – The Illusive Man Nov 06 '13 at 20:20
  • @yzT - It depends, but for most applications, the firewall is all you need. The dinky little Fortigate referenced above can handle OSPF and BGP, and some fancy policy-based routing as well. A Juniper SRX security appliance is basically their J-series router in forwarding mode. Ancient firewalls of yore had just the two interfaces and didn't do routing, but the industry has long since moved on. – RI Swamp Yankee Nov 06 '13 at 20:29