Opinions sought on webserver/mysql server layout
billt-lxSQFCZeNF4 at public.gmane.org
billt-lxSQFCZeNF4 at public.gmane.org
Fri Dec 16 03:53:57 UTC 2005
I agree with Scott. there is no right answer to this question.
The question you should ask is how important is the data in the database.
Consider two example:
1) the data in the database is configuration data for the webpages such as php pages. In this case a database should definitely be in the DMZ. There is no point in opening a possible security hole for this type of data.
2) The data in the database is credit card numbers of customer. In this case this should be in the internal network. The extra security risk is more than compensated by an increase in the security offered by requiring the intruder to break into two different machines.
I hope this helps.
Bill
On Thu, Dec 15, 2005 at 09:50:46PM -0500, Scott Elcomb wrote:
> On 12/15/05, Neil Watson <tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> > I've planned a new webserver to host two sites. The server runs
> > Apache, OpenCMS and Metadot. This server sits on our DMZ. I plan to
> > host the database service on a separate server that sits on our internal
> > network. It has been suggested that this is not a good idea. What do
> > you think and why? Can you offer some real world examples of where
> > database servers should be hosted?
>
> In theory, all machines in the DMZ should be isolated from the
> machines on your internal network. (Machines in both the internal and
> external networks should be able to call on "services" that reside in
> the DMZ though.)
>
> Even opening a single port from the DMZ to an internal server poses at
> least some risk if an attacker gains access. Then again, putting the
> database server in the DMZ poses it's own risk as well.
>
> In practice I don't think it's always very clear cut. There's a bunch
> of factors involved in finding the solution - politics (particularly
> in business), how secure the data in the database server needs to be,
> known security issues with the database server packages, performance,
> etc.
>
> Determine the factors critical to the application, weigh risks and
> implementation cost against your security needs, and settle on a
> decision. Network security is never perfect, but it is a worthwhile
> goal.
>
> I don't have any real-world examples to give. Sorry 'bout that. ;-)
>
> --
> Scott Elcomb
> psema4.gotdns.com
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list