What is the best practice for placing database servers in secure network topologies

  • I have a classic DMZ architecture:

    enter image description here

    My webserver is placed in the DMZ. The webserver needs to communicate with a database server. This database server is the most critical component of my network as it contains confidential data.

    Where should I place the DB server and why? Should I add a second firewall and create another DMZ?

    Why does the database server need to communicate with the web server? I would think that it would be the other way around(the web server that needs to communicate with the db server, and the db server just needs to return the results). The db server should not be permitted to initiate communication with the web server; it has no need to.

    Correct. I updated the question accordingly :)

    What assets does the database contain?

    @this.josh credit cards details

    • The best placement is to put the database servers in a trusted zone of their own.
    • They should allow inbound connections from the web servers only, and that should be enforced at a firewall and on the machines. Reality usually dictates a few more machines (db admin, etc). Obey reality as needed, of course.
    • They should only be making outbound connections if you're updating software on them.

    so I should add another leg to the firewall for a DB DMZ, correct?

    @lisa1987 Yes. You may be able to accomplish it via VLANs rather than hardware.

    putting a sensor on the segment will allow you to monitor it easily plus the log will be clearer. The syslog server could be on a different segment and valuable information could be associated with debugging.

    Be especially careful to mitigate VLAN Hopping http://en.wikipedia.org/wiki/VLAN_hopping when depending on VLANs for security.

    @JeffFerland Thanks. So would you suggest not to call any webservices (SOAP) from Database code instead call in the Java layer ?

    @Jay Yes. No exceptions to that come to mind immediately.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM