Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2920
Views
5
Helpful
2
Replies

Recommended best practices for DMZ layout

Go to solution
osmhquser
Level 1
Level 1

‎06-12-2008 02:34 AM - edited ‎03-11-2019 05:58 AM

We are laying out our new DMZ and wanted to know what is the recommended approach for setting up our web servers and database servers? Should the web servers (front-end) be placed in one DMZ and the database servers (backend) be placed in a seperate DMZ? Are there any reference to DMZ design fundatmentals available online?

Thanks in advance for any help given.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-12-2008 03:00 AM

Mark

I would always recommend having your database servers on a dedicated vlan because these servers contain a lot of data that is presumably important to your company. And the traffic allowed through to them needs to be strictly regulated.

If you place them on the same DMZ as your web servers and your web servers get compromised then it is easier to then attack the database servers.

There is generally a tradeoff between the number of DMZ's and the complexity of the rule base. At one extreme all devices are on one DMZ and the rule base is relatively simple. At the other extreme every server is on it's own DMZ and the rule base becomes extremely complex. The trick is to find a balance and each company can make different choices depending on the level of security they need, the sensitivity of the data etc.

But database servers by their very nature should be segregated if at all possible. And if you have more than one database server and they do not need to communicate with each other i would go one step further and look at private vlans which will allow you to isolate these servers from each other even within the same DMZ.

Attached is a link to a Cisco doc in securing server farms

http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance09186a008014edf3.pdf

the above was part of Cisco's SRND reference guides and some of the other ones may be of interest as well

www.cisco.com/go/srnd

Finally www.sans.org also have some good papers on best practices in setting up firewalls/DMZs.

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎06-12-2008 03:00 AM

Mark

I would always recommend having your database servers on a dedicated vlan because these servers contain a lot of data that is presumably important to your company. And the traffic allowed through to them needs to be strictly regulated.

If you place them on the same DMZ as your web servers and your web servers get compromised then it is easier to then attack the database servers.

There is generally a tradeoff between the number of DMZ's and the complexity of the rule base. At one extreme all devices are on one DMZ and the rule base is relatively simple. At the other extreme every server is on it's own DMZ and the rule base becomes extremely complex. The trick is to find a balance and each company can make different choices depending on the level of security they need, the sensitivity of the data etc.

But database servers by their very nature should be segregated if at all possible. And if you have more than one database server and they do not need to communicate with each other i would go one step further and look at private vlans which will allow you to isolate these servers from each other even within the same DMZ.

Attached is a link to a Cisco doc in securing server farms

http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance09186a008014edf3.pdf

the above was part of Cisco's SRND reference guides and some of the other ones may be of interest as well

www.cisco.com/go/srnd

Finally www.sans.org also have some good papers on best practices in setting up firewalls/DMZs.

Jon

Go to solution
osmhquser
Level 1
Level 1
In response to Jon Marshall

‎06-12-2008 03:35 AM

Thanks for the info. This is very helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card