DMZ’s, Databases and Disasters (or preventing them)

I am giving some big kudos to Stephen Moore, Shane Castle and Nathaniel Hall who helped me sort through some issues I was having regarding web servers pulling dynamic data off of SQL servers. I decided I wanted to base a little article around this. Let’s set the scenario an outside system hits the DMZ based web server which in turn pulls information from an internal SQL box.

My initial thought was how can I secure this better than a one to one ACL that is only allowed across an SQL port? My goal was to find an alternative solution that provided better granularity.

Read the rest of this entry »

The Tai Chi of Active Directory in the DMZ

When dealing with security I often think of Lao Tzu and the Tao Te Ching when he wrote, “The soft and the pliable will defeat the hard and strong.”

In an effort to provide a manageable form of Authentication in the DMZ for a Micro$oft centric organizations I was required to take a look at incorporating AD into a DMZ environment. A DMZ (DeMilitarized Zone) is a separate network that that is based off of an independent connection on your firewall. It isolates the internal network from the internet and controls what kind of traffic, if any, is allowed to pass on to the internal network.

By creating a DMZ, you limit the amount of damage an intruder can do to your network by containing it in the DMZ. Web servers and e-mail servers are typically the type that goes into the DMZ; a general rule is if a server needs to be exposed to the Internet it should be placed within the DMZ. With these servers being hosted on a separate network segment some form of authentication needs to be present. In Microsoft environments the choice is usually Active Directory.

So how do you take a more secure approach to this?

Read the rest of this entry »