When I've done this in the past and it was a limited need, I simply setup a
separate, private network between the two boxes. Why bother punching
through the firewall when hooking a hub and 2 nics does the trick?
Now that will only work if the boxes are physically adjacent and you can
isolate the backend somewhat...
ie, this:
'net ---- firewall ----------------------------- intranet
| |
DMZ firewall2
| |
|---webserver =============== sql
But configuring firewall2 is a lot easier - basically allow to the sql
server the required intranet connections and NOTHING out except the replies.
If you're really concerned, put a 3rd firewall on the private (====)
network, and allow only sql traffic from the web server plus the replies.
firewall2 and firewall3 can be pretty simple, low rent Linux boxes w/
iptables scripts - quite apart from whatever the main firewall (big iron)
is..
-----Burton
-----Original Message-----
From: Dan Williamson [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 20, 2002 1:39 PM
To: [EMAIL PROTECTED]
Subject: Secure Infrastructure
I currently am faced with a troublesome infrastructure
dilemma.
We have some real-time data that resides on an SQL server
in our intranet. This data is queried and updated by users
via a web server that is in our DMZ. Queries are sent from
the web server in the DMZ to the SQL server and data is
provided from the SQL server back to the web server based
on the queries. This obviously requires a two way
connection through the firewall which negates the reason
for the firewall in the first place. The question I have is
what is the most secure network design for these systems?
How do you provide access to real-time sensitive data in a
secure environment? Financial, medical and other government
agencies provide this kind of real-time information on a
daily basis so I know there are ways to do what we need.
I'm just not sure how yet.
Any suggestions would be greatly appreciated.
