RE: Server publishing
- From: "Nathan Casey" <NCASEY@xxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 01 Jul 2004 15:12:51 -0700
Very good suggestion, but the users that access the internet
application make changes that would need to be replicated
back to the internal SQL server. The one-way transactional
replication scenario would not work for this app.
>>> thor@xxxxxxxxxxxxxxx 7/1/2004 12:45:24 PM >>>
http://www.ISAserver.org
To add to the previous (and excellent) points of Shawn and
The Good Doctor,
I would *highly* recommend considering populating the DMZ
with it's own SQL
server (with proper licensing, or course.)
Any leveraging of SQL injection-type attacks would afford
an attacker the
luxury of executing code on a box within your internal
network. Further,
from an authentication standpoint, I would imagine that
your internal SQL
box (assuming MS sql) would have to be configured to accept
Mixed-mode
authentication (with the ADODB connection strings
containing user
credentials) -- a far weaker authentication model than
NT-based
authentication -- that or (heaven forbid) you've got shared
domain
membership between the DMZ web server's IUSR account for
the internal SQL
box to accommodate authentication of the web application's
requests for
data. In either case, a compromise of the web server would
give an attacker
credentials that could be used on your internal network, as
well as a direct
path (1433) into your network.
A DMZ-based SQL box could be locked down, and the internal
box could utilize
one-way transactional replication to the DMZ. In this
model, there is no
static port open to the internal network, there are no
shared credentials
(the internal box's replication push would use creds on the
DMZ box and not
the other way around) and any compromise would leave the
attacker in the
DMZ. Further, the available data on the DMZ box would be
limited to that
required by the application. My bet is that your internal
SQL box has data
above and beyond that required by the web app.
Just a thought.
t
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]"
<isalist@xxxxxxxxxxxxx>
Sent: Thursday, July 01, 2004 12:24 PM
Subject: [isalist] RE: Server publishing
http://www.ISAserver.org
Hi Shawn,
Good point. With the SQL publishing scenario, the ISA
firewall isn't
providing any security (just like the pix).
However, if there are services behind the ISA firewall that
are exposed
to app layer filtering, I'd keep the dual homed ISA box
where it is.
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Quillman Shawn (RBNA/CSA1) *
[mailto:Shawn.Quillman@xxxxxxxxxxxx]
Sent: Thursday, July 01, 2004 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Server publishing
http://www.ISAserver.org
Yes. The only time you can have 1 adapter is when ISA is
in cache-only
mode in which situation you can only web publish. The
config you show
doesn't really make sense, the ISA would be redundant. You
would just
publish the SQL server via the internal PIX. What is it
you're trying
to accomplish with the ISA?
-Shawn
-----
Shawn R. Quillman
Robert Bosch Corporation RBNA/CSA1
38000 Hills Tech Drive
Farmington Hills, MI 48331
(248) 553-1164 (P) (248) 848-6969 (F)
shawn.quillman@xxxxxxxxxxxx
-----Original Message-----
From: nathan [mailto:ncasey@xxxxxxxxxxxxxxxxx]
Sent: Thursday, July 01, 2004 3:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Server publishing
http://www.ISAserver.org
With server publishing, if I publish a SQL server that sits
on the
internal network, does my ISA server need 2 adapters? The
SQL server is
acting as a back-end database server for a Web site which
is hosted on
web server in a PIX DMZ.
If I do need 2 adapters for server publishing can they both
reside in
PIX DMZ's? My network security guy wants all incoming
traffic to go
trough the PIX firewall
Internet Router
(Public IP)
|
|
PIX FIREWALL
|
|
Web server
|
|
PIX FIREWALL
*internal Network*
|
|
ISA SERVER
|
|
SQL SERVER
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/
Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
shawn.quillman@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking:
http://www.windowsnetworking.com
Leading Network Software Directory:
http://www.serverfiles.com
No.1 Exchange Server Resource Site:
http://www.msexchange.org
Windows Security Resource Site:
http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: ncasey@xxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Other related posts:
