[WEB SECURITY] Website / Database Security Architecture - Best Practices ...
Ryan Barnett
rcbarnett at gmail.com
Wed Sep 27 21:08:04 EDT 2006
You existing web server (with CF and .NET) is your Web Application layer.
Both it and your DB should be moved to the internal network. You should
then deploy a reverse proxy inside the DMZ to handle internet requests.
This is the presentation tier. This server will be restricted by your DMZ
firewall rules to only allow inbound 80/443 traffic to your web application
server IP. The web application host is the only IP that can talk with your
DB.
Since it appears you are a Microsoft shop - take a look at the article -
http://www.microsoft.com/technet/archive/ittasks/deploy/depovg/windna.mspx?mfr=true
Here is a graphic showing the multi-tier architecture -
http://www.microsoft.com/library/media/1033/technet/images/archive/ittasks/deploy/depovg/windna01_big.gif
Hope this helps.
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 9/27/06, Idvweb at aol.com <Idvweb at aol.com> wrote:
>
> But the web server and database are on a DMZ at the moment, then there is
> a firewall before you get to the corp network.
>
> You cant really split up the web and app tiers because for example
> Coldfusion and .NET are installed all on the same server.
>
> Does anybody have any examples / diagrams of what other companies use or
> best practices?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060927/79b3c027/attachment.html>
More information about the websecurity
mailing list