We are laying out our new DMZ and wanted to know what is the recommended approach for setting up our web servers and database servers? Should the web servers (front-end) be placed in one DMZ and the database servers (backend) be placed in a seperate DMZ? Are there any reference to DMZ design fundatmentals available online?
Thanks in advance for any help given.
I would always recommend having your database servers on a dedicated vlan because these servers contain a lot of data that is presumably important to your company. And the traffic allowed through to them needs to be strictly regulated.
If you place them on the same DMZ as your web servers and your web servers get compromised then it is easier to then attack the database servers.
There is generally a tradeoff between the number of DMZ's and the complexity of the rule base. At one extreme all devices are on one DMZ and the rule base is relatively simple. At the other extreme every server is on it's own DMZ and the rule base becomes extremely complex. The trick is to find a balance and each company can make different choices depending on the level of security they need, the sensitivity of the data etc.
But database servers by their very nature should be segregated if at all possible. And if you have more than one database server and they do not need to communicate with each other i would go one step further and look at private vlans which will allow you to isolate these servers from each other even within the same DMZ.
Attached is a link to a Cisco doc in securing server farms
the above was part of Cisco's SRND reference guides and some of the other ones may be of interest as well
Finally www.sans.org also have some good papers on best practices in setting up firewalls/DMZs.