securing a database from DMZ traffic

We are in the process of creating a DMZ for our web servers. Currently
our web servers have sit on our internal network. Moving the web
servers to a DMZ is the easy part, but what I am not sure about is how
to secure our database. I do not want it to sit the database on the
DMZ, but I also do not want to allow my DMZ to access the internal
network to hit the database. Does any one have a suggestion that i can
lookinto.
We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
suggestions would be appreciated

Thanks
CR

Re: securing a database from DMZ traffic

In article <1184938705.421349.96740@n60g2000hse.googlegroups.com>,
crussell18@gmail.com says...
> We are in the process of creating a DMZ for our web servers. Currently
> our web servers have sit on our internal network. Moving the web
> servers to a DMZ is the easy part, but what I am not sure about is how
> to secure our database. I do not want it to sit the database on the
> DMZ, but I also do not want to allow my DMZ to access the internal
> network to hit the database. Does any one have a suggestion that i can
> lookinto.
> We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
> suggestions would be appreciated

A typical database/web layout has the database servers in the LAN with
the Web Servers in the DMZ. You open the port(s) needed for database
communications between the Web Servers and the Database servers through
the firewall DMZ>LAN, and only to those IP/Ports. You do not use Windows
Authentication in your database/web application, you would use SQL
Authentication.

If you network is based on Microsoft platforms you want to make sure
that your web servers are NOT part of your active directory structure
and that you only open the Database communication ports from the web
servers to them.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: securing a database from DMZ traffic

crussell18@gmail.com schrieb:
> We are in the process of creating a DMZ for our web servers. Currently
> our web servers have sit on our internal network. Moving the web
> servers to a DMZ is the easy part, but what I am not sure about is how
> to secure our database. I do not want it to sit the database on the
> DMZ, but I also do not want to allow my DMZ to access the internal
> network to hit the database. Does any one have a suggestion that i can
> lookinto.
> We have a Cisco ASA5510 firewall and muliple Cisco 3560g switches. Any
> suggestions would be appreciated
>
> Thanks
> CR
>
Hi,
Access from the DMZ to the internal Lan should never be directly allowed.
I recommend to create 4 security levels on the ASA:
0= outside
30= DMZ
60= Database
100= inside

30 and 60 shall be on different physical interfaces of the ASA, but if
you have only 3 interfaces you can also use VLANs for DMZ and Database;
or upgrade your ASA. Then create the corresponding rules.

bye

Christoph