Should databases containing customer information go in a DMZ?

We're deploying a simple newsletter webapp on a stand-alone LAMP platform in the company DMZ. There is some discussion as to whether the MySQL server should be removed from the DMZ and put in the internal network.

The server is behind a firewall with only port 80 open and MySql will be attached to a non-standard port. The database contains customer email addresses.

Is this a secure setup (or secure enough)? How much more secure would it be by placing the data behind a second firewall? (I'm more of a developer so I'm not really aware of all the security aspects here - can someone enlighten me!)

Update Just for clarification and to attact more comment here is our current setup:

internet - firewall1 - http server - firewall2 - appserver - firewall3 - enterprise resources

This new application was supposed to go completely within the DMZ between firewalls 1 and 2. We're currently discussing pulling the MySQL server in behind the 2nd firewall.


Solution 1:

To allow connections from the DMZ to the internal LAN is breaking with the concept of a DMZ.

Binding MySQL to localhost is going to be no less secure than placing MySQL elsewhere. If data theft is your concern, you should assume that were the two machines split apart and the Apache portion was compromised, then MySQL connection details stored on the compromised machine could simply be re-utilised by an attacker to read the data out anyway.

Edit to add:

Even with a double-hop DMZ as you describe, you're not purchasing yourself any real security benefit from separating the services, whilst at the same time making the setup more complicated. You're possibly even increasing the attack surface by having more machines and sending data over the wire that would otherwise be on loopback.

Solution 2:

I would put the DB in the internal network (behind a second firewall).

This vastly reduces the attack surface of the DB because you set the firewall rules for the second firewall (DMZ to Internal) to ONLY allow connections on port XXXX (the DB port) from the webserver.

So even if your DMZ is compromized there is still protection for your DB.

Solution 3:

Let us evaluate the two scenarios and see which one is better. I suppose you have configured the MySQL account to have only READ/WRITE access to the tables specific to the application.

I will attack the webserver using a zeroday exploit. I now have administrator access to the web server and can fully access the local filesystem. I can also send network communication originating from this webserver. I have gained access to the credentials required to access the application database.

If the database server is on the same machine, I now also have direct and full access to the database. I can read and write to all tables in the database, create new ones and listen in on all other communication with this database server. Evaluation: This is the worst scenario. The application database and all other databases are now impacted.

If the database server is on a different machine in the same DMZ, I can fully communicate with the database server. I can now use an exploit in the Windows File Sharing service to gain administrator access to this server. Evaluation: I can access the database server using the web application account, but this may only give me limited rights. I need a different exploit to gain full access to the database server. I can exploit any service available on the database server.

If the database server is in an entirely different network, I can only access the database port. Any other communication is filtered by a firewall. This means I can only use an exploit in the database program to gain administrator access. If I gain administrator access, the full internal network is compromised. Evaluation: I can access the database server using the web application account, but this may only give me limited rights. I can only exploit the database port to gain full access. If I do this, the network of the database sever is compromised.

Solution 4:

I think the MySQL part has been adequately covered and I certainly agree with what has already been said. I would just like to point out that as a first step you should find out what the legal requirements are in your part of the world, as they vary considerably. Quite possibly that will determine your configuration.