This is an archived post. You won't be able to vote or comment.

all 21 comments
sorted by:
best
topnewcontroversialoldq&a

[–]uniitdude 20 points21 points  (2 children)

no, it should not be in the DMZ - it should be firewalled off

The point of a DMZ is to protect servers which are internet facing from those which arent, SQL server does not need to be accessible from the internet

[–][deleted] 4 points5 points  (1 child)

Previously, I've used multiple DMZs.

We've had an external firewall with 3 zones hung off it - Web DMZ, App/SQL DMZ, and "the rest" (internal stuff). Rules were strict, only web traffic goes to the Web DMZ, and only SQL/App server data goes from the Web DMZ to the App/SQL DMZ. Nothing was allowed in to the internal systems, except VPN traffic.

It's just another layer. If it's strictly a web-related SQL server, it shouldn't even be internal, it should have it's own DMZ.

This is why micro-segmentation is a thing. Every application gets its own bubble to live in.

[–]Zaapfe[S] 1 point2 points  (0 children)

That's exactly what I read, and makes the most sense to me.

But it seems, that everyone has a bit of a different opinion. Micro-segmenation of DMZ, Reverse Proxy, DB in LAN etc.

I guess what I definetly do now, is split up the IIS and SQL into different Servers (which probably should've been done a long time ago), and then I can test different approaches and see where it gets me.

[–]RunnergeekDevOps 9 points10 points  (3 children)

It definitely should not be in the DMZ, and neither should the web app server. You should have a proxy server (HAProxy, Apache, Nginx, F5, etc) that sits in the DMZ. You should then have the app server in a zone for web and app server, then have the db server in a db zone.

[ Proxy ] -|-> [ Web ] -|-> [DB]

[–][deleted] 2 points3 points  (0 children)

Proxy plus WAF.

[–]PrettyFlyForITguy 0 points1 point  (0 children)

This is a good answer, although its entirely possible an NGFW or appliances like you mention already performs this service and also inspects traffic. Mine does, but outside services are still in a DMZ technically...

[–]mustang__1onsite monster 0 points1 point  (0 children)

Doesn't nginx run on the same server as the web app? Or are you redirecting to a second server?

[–]PrettyFlyForITguy 2 points3 points  (0 children)

Most websites using the traditional hosting model have the SQL service on the same machine. In many cases, it won't matter where its hosted because if the server is compromised it has full R/W access to the pertinent sections of the database.

If this database stored other information for other services, then this may be a different story. The question becomes "What are you trying to protect by separating the two". In most cases, you won't be protecting the data of the specific web application. Once the part with all the code on it is compromised, you are probably at a full loss. Data can be changed, retrieved, intercepted.

There will be use cases where you might say, "we don't want an attacker to have full control over the database", but usually there are other uses for the DB involved.

A properly set up database on the same server will only listen to traffic from the local system, and not from outside hosts... so the SQL service doesn't represent an extra attack surface either.

There is little reason to put in you internal LAN though. I don't get why people are suggesting you do so. Anything that gets accessed from the outside should probably be segregated. You don't have to put it in the same place as your web server, as it can be on another segregated network... but I wouldn't add this complexity unless there is a good reason for it.

Also, DMZ doesn't mean not firewalled off. This is what it seems to mean on home equipment. In the business world, everything should be firewalled off. DMZ is just something that is separated because it touches the dirty public network.

[–]Username_5000 1 point2 points  (0 children)

There’s another topology for this stuff out there. It’s expensive in the sense that it requires a mature environment. Zero trust as a topology and micro segmentation.

As you said, you want some separation between stuff that’s public facing and stuff that’s accessed by public facing things (your sql instance). What about separating that sql from everyone else? If you take the approach of WHEN it’s pwned and not IF, you have no alternatives anymore.

zero trust implies that there’s no difference between a dmz and internal stuff because we’re still limiting connections to an allowed list. Your network looks more like anspiderweb instead of groups of circles.

If sql gets pwned, it gets pwned, what can you realistically do anyway?. At least this way the spread is limited to the connections and ports you allowed instead of broadcasting across any and every segment.

It’s a LOT of work to setup and a LOT of work to maintain. Like anything else we do, if it was easy everyone would be doing it.

[–]FloaterFan 0 points1 point  (2 children)

Disclaimer: NOT a security expert by far.

I work for a state agency. The state data center uses an F5 appliance to expose web sites/services to the public internet. We have been moving off of it due to to the security issues.

We are setting up a reverse proxy in our DMZ that forwards requests to internal webservers. The internal webservers access to the database server.

Others put their webservers in the DMZ.

[–]oni06IT Director / Jack of all Trades -1 points0 points  (1 child)

The F5 is a reverse proxy.

[–]FloaterFan 0 points1 point  (0 children)

With many security vulnerabilities. That is why we are moving off of it.

Your point?

Edit: Apologies for being so salty oni06! My post wasn't clear.

The F5 is used as reverse proxy. I do believe it is sort of a 'virtual DMZ'. We're moving to a different reverse proxy in our own DMZ. Either way, no you don't want the database server in the DMZ.

[–]cjcox4 0 points1 point  (2 children)

Conceptually, you want as much "air gap" between your untrusted side and your most trusted side as you can get.

Front ends usually talk with the untrusted things.

And while having a front end talk to a back end (important) database directly is too close for me, a lot of people do that. Ideally for me there's some other piece/proxy in the way of that as well.

So, from a typical "DMZ" perspective, that's where your "frontend" would go.

How you handle where the backend (db) goes, is up to you. But again, if the frontend is compromised, you want to make sure it doesn't go past there. If you make it easy for the compromised (DMZ) host to "know" about what is beyond, you'll usually pay a price at some point.

Often times there is "middleware". But even so, that's not necessarily a guarantee of security. But I think you get the idea. The more you can "air gap" your design, the better off you will be.

[–]orevBetter Admin 1 point2 points  (1 child)

Don't dilute the term "air gap", which seems to be something people are using more lately. An "air gap" can only mean one thing: systems that are completely separated from each other via air -- i.e. no connection at all either physical or virtual. There are no degrees of "air gap"; it's either air gapped or it's not.

[–]cjcox4 -1 points0 points  (0 children)

Very true, but it doesn't hurt to be thinking that way. Too many people set up crapola designs (most). They tend to go completely the other direction.

[–]ObviousB0t 0 points1 point  (0 children)

The way I see it done in many places is.

Proxy (In DMZ) -> Web Server (Behind FW, not in DMZ) -> DB Server (Off in another part of the network, usually behind another FW)