13

This should be a very basic question and I tried to research it and couldn't find a solid answer.

Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO).

Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN.

So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.

Allen
  • 1,443
  • 3
  • 11
  • 8

4 Answers4

14

Proper network security states that DMZ servers shouldn't have any access into the 'Trusted' network. The Trusted network can get to the DMZ, but not the other way around. For DB backed web-servers like yours this can be a problem, which is why database servers end up in DMZs. Just because it is in a DMZ doesn't mean it HAS to have public access, your external firewall can still prevent all access to it. However, the DB server itself doesn't have access to inside the network.

For MSSQL servers, you probably need a 2nd DMZ due to the need to talk to AD DC's as part of its normal functioning (unless you're using SQL accounts rather than domain-integrated, at which point this is moot). That second DMZ would be home to Windows servers that need public access of some kind, even if it is proxied through a web-server first. Network Security people get squinty when they consider domained machines experiencing public access getting access to DCs, which can be a hard sell. However, Microsoft doesn't leave much choice in this matter.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • @Allen - we don't know what your networking guys are saying. @Sysadmin1138 is telling you a good design. – mfinni Mar 24 '10 at 18:19
  • Yah I understand what he's saying. I think i've been told in the past that our mssql was on the LAN when it was really in another DMZ as he describes – Allen Mar 24 '10 at 18:27
  • How does this fit in with PCI compliance, which mandates that the Database Server NOT reside in the DMZ? That's the issue I'm dealing with, allowing webservers on the DMZ access to the SQL server that needs to be on either the LAN or another DMZ... – I.T. Support Sep 30 '10 at 21:08
  • @I.T. Support that's sometimes solved by adding another DMZ layer. Layer1 is your webfarm, layer2 is your DB farm. Both layers are firewalled from any other layer. – sysadmin1138 Sep 30 '10 at 21:50
4

I'm with your networking guys, in theory. Any other arrangement means that when somebody compromises the web server they have a door into your LAN.

Of course, reality has to play a part - if you need live data accessible from both the DMZ and the LAN then you really have few options. I'd probably suggest that a good compromise would be a "dirty" internal subnet that servers like the MSSQL server could live. That subnet would be accessible from both the DMZ and the LAN but firewalled off from being able to initiate connections to either the LAN and DMZ.

Cry Havok
  • 1,825
  • 13
  • 10
  • 2
    This is what we do. The public webservers are in a DMZ. The DB servers that they make queries to are in *another* DMZ. Neither of those can make connections to the corporate network, although the corporate network can make connections to them. – mfinni Mar 24 '10 at 17:39
  • Really? (asking, not sarcastic) Doesn't it just mean they have a way to reach ONE of your SQL servers (or instances)? Which is a door into the LAN, but a pretty narrow one. You'd then need to compromise that exact service on that server to crack the door open. A very narrow door I'd think. Putting the servers in a 2nd DMZ still allows anyone compromising the IIS access to the data in that SQL. – Gomibushi Aug 27 '12 at 07:30
1

If all you are letting through the firewall are SQL connections from the DMZ server to the MS-SQL server, then it shouldn't be an issue.

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
-1

I'm posting my answer because I want to see how its voted...

The web server in the DMZ should be able to access the MSSQL server in the LAN. If it can't, how do you propose to get access to a MSSQL server in the LAN? You couldn't!

Allen
  • 1,443
  • 3
  • 11
  • 8