Our network admins are adamant that it is insecure for our web servers, which are hosted in the DMZ, to access the DB server behind our firewall. To get round the problem, we access the data via web services or WCF. I feel that this is an unnecessary performance burden that could be eliminated if the web server could access the DB directly.
The reasons i have been given is that of a hacker was able to login to the web server they could then access the DB. Is it possible to open the ports only for IIS or is it not possible to be that specific? If we can lock it down to just IIS, could this be easily comprised by the hacker?
I've read various posts on the internet but i can't seem to find a definite answer.
Al