Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Recommended best practices for DMZ layout

We are laying out our new DMZ and wanted to know what is the recommended approach for setting up our web servers and database servers? Should the web servers (front-end) be placed in one DMZ and the database servers (backend) be placed in a seperate DMZ? Are there any reference to DMZ design fundatmentals available online?

Thanks in advance for any help given.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Recommended best practices for DMZ layout

Mark

I would always recommend having your database servers on a dedicated vlan because these servers contain a lot of data that is presumably important to your company. And the traffic allowed through to them needs to be strictly regulated.

If you place them on the same DMZ as your web servers and your web servers get compromised then it is easier to then attack the database servers.

There is generally a tradeoff between the number of DMZ's and the complexity of the rule base. At one extreme all devices are on one DMZ and the rule base is relatively simple. At the other extreme every server is on it's own DMZ and the rule base becomes extremely complex. The trick is to find a balance and each company can make different choices depending on the level of security they need, the sensitivity of the data etc.

But database servers by their very nature should be segregated if at all possible. And if you have more than one database server and they do not need to communicate with each other i would go one step further and look at private vlans which will allow you to isolate these servers from each other even within the same DMZ.

Attached is a link to a Cisco doc in securing server farms

http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance09186a008014edf3.pdf

the above was part of Cisco's SRND reference guides and some of the other ones may be of interest as well

www.cisco.com/go/srnd

Finally www.sans.org also have some good papers on best practices in setting up firewalls/DMZs.

Jon

2 REPLIES
Hall of Fame Super Blue

Re: Recommended best practices for DMZ layout

Mark

I would always recommend having your database servers on a dedicated vlan because these servers contain a lot of data that is presumably important to your company. And the traffic allowed through to them needs to be strictly regulated.

If you place them on the same DMZ as your web servers and your web servers get compromised then it is easier to then attack the database servers.

There is generally a tradeoff between the number of DMZ's and the complexity of the rule base. At one extreme all devices are on one DMZ and the rule base is relatively simple. At the other extreme every server is on it's own DMZ and the rule base becomes extremely complex. The trick is to find a balance and each company can make different choices depending on the level of security they need, the sensitivity of the data etc.

But database servers by their very nature should be segregated if at all possible. And if you have more than one database server and they do not need to communicate with each other i would go one step further and look at private vlans which will allow you to isolate these servers from each other even within the same DMZ.

Attached is a link to a Cisco doc in securing server farms

http://www.cisco.com/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance09186a008014edf3.pdf

the above was part of Cisco's SRND reference guides and some of the other ones may be of interest as well

www.cisco.com/go/srnd

Finally www.sans.org also have some good papers on best practices in setting up firewalls/DMZs.

Jon

Community Member

Re: Recommended best practices for DMZ layout

Thanks for the info. This is very helpful.

1965
Views
5
Helpful
2
Replies
CreatePlease to create content