> 1) Should the SQL Server be behind the firewall? The answer > seems to me to be yes - if so, what port do I have to open > to allow communication between the Web/CF Server and the > SQL Server so that they can still talk to each other. Our > intranet (LAN users) and website (WAN) users need to access > the same database.
As several other people have already noted, your database should be behind the firewall, and you'll need to open port 1433 to the database server from the CF server. I'd like to add a couple of things to this, though. First, if possible, you should limit your CF applications to using stored procedures, if possible, and limit the rights of the accounts used by CF datasources as much as you can. Second, you should prevent outbound traffic from your database server through the firewall. That way, if you are vulnerable to SQL injection attacks, the attacker won't be able to use the FTP client or anything like that to put files onto, or push files from, your database server. > 2) For servers in the DMZ, is there any rational reason for > them to be in the domain? Wouldn't it be more secure to keep > those machines as standalone (non-domain) machines so that > if they are compromised, all domain machines are still behind > the firewall? The only benefit I can see to keeping them in > the domain is group policy. I think you'd be better off if the DMZ servers aren't part of your internal domain. If you did make them part of the internal domain, you might as well not put them in the DMZ, I think. > 3) For those running DNS servers in house, is it customary > for you to actually have a dedicated DNS machine? Or do you, > as we currently do, use a server for dual purpose (maybe it > would be an FTP Server and a DNS Server). Also, are there > any "plug and play" DNS "network appliances" available that > wouldn't require a $1000+ license of Windows 2000 server? DNS generally doesn't require a lot of resources or bandwidth; many firewalls allow you to run DNS on the firewall itself. You should be able to put a DNS service on an existing server. I don't know about DNS "appliances", but I'd recommend that you look at putting together a Linux or BSD server for DNS, if you do want a dedicated server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists