Opinions sought on webserver/mysql server layout

Scott Elcomb psema4-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Dec 16 02:50:46 UTC 2005


On 12/15/05, Neil Watson <tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> I've planned a new webserver to host two sites.  The server runs
> Apache, OpenCMS and Metadot.  This server sits on our DMZ.  I plan to
> host the database service on a separate server that sits on our internal
> network.  It has been suggested that this is not a good idea.  What do
> you think and why?  Can you offer some real world examples of where
> database servers should be hosted?

In theory, all machines in the DMZ should be isolated from the
machines on your internal network.  (Machines in both the internal and
external networks should be able to call on "services" that reside in
the DMZ though.)

Even opening a single port from the DMZ to an internal server poses at
least some risk if an attacker gains access.  Then again, putting the
database server in the DMZ poses it's own risk as well.

In practice I don't think it's always very clear cut.  There's a bunch
of factors involved in finding the solution - politics (particularly
in business), how secure the data in the database server needs to be,
known security issues with the database server packages, performance,
etc.

Determine the factors critical to the application, weigh risks and
implementation cost against your security needs, and settle on a
decision.  Network security is never perfect, but it is a worthwhile
goal.

I don't have any real-world examples to give.  Sorry 'bout that.  ;-)

--
Scott Elcomb
psema4.gotdns.com
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list