Is there a secure way to allow IIS 7 in a DMZ to access a DB server behind the firewall?
Our network admins are adamant that it is insecure for our web servers, which are hosted in the DMZ, to access the DB server behind our firewall. To get round the problem, we access the data via web services or WCF. I feel that this is an unnecessary performance burden that could be eliminated if the web server could access the DB directly.
The reasons i have been given is that of a hacker was able to login to the web server they could then access the DB. Is it possible to open the ports only for IIS or is it not possible to be that specific? If we can lock it down to just IIS, could this be easily comprised by the hacker?
I've read various posts on the internet but i can't seem to find a definite answer.
Al
Solution 1:
I have set up platforms for large scale enterprises and normal practice is to ensure your databases are on a different VLAN from your web servers with a firewall sat between these routing traffic to the database server port only as well as a firewall in front of your web servers. Typically your front firewall will forward port 80 (HTTP) and port 443 (HTTPS) to your web servers. The firewall sat between the web server and the database server will forward traffic from the web servers to the port used by your database (typically port 1433 if using Microsoft SQL Server).
For increased security:
- Ensure you use a least privileged account to access the database servers
- If you are using ASP.NET you can encrypt your database connection string in the web.config
- Hire a third party company to carry out a penetration test to advise of any vulnerabilities
- Ensure Updates and Service Packs are installed on a regular scheduled basis.
If your database is the MI6 or CIA database then your network admins are probably right, but too me it sounds like they are overreacting.
If the database does contain data that absolutely cannot be exposed to a public network but the data your database needs is not that sensitive could you look at replicating the tables your web site requires to a database that is in your hosting environment?
I'd ask them the question:
- If a hacker gains access to the web server, could they call your web services?
- If a vulnerability is discovered in IIS which enabled them to access your web server then surely they just exploit the same vulnerability on the web server hosting your web services?
- Could they install software that monitors user input to sniff passwords in memory?
Solution 2:
Your web servers can be behind a firewall as well, they just need to have port 80 forwarded to the correct server. All the other ports your web server doesn't need should be closed on that most external firewall. Then there should be a firewall between your web servers and your data servers. In that firewall you'll only allow the ports that the databases talk on to be open.
Here is a diagram
Internet --> Firewall --> Web Servers --> Firewall --> Databases
FYI, I'm a developer although I work with our IT staff often at my company since we're a small shop.