0

I need to secure an internal web server and sql db, that is going to be made public(www) At this stage im only looking to provide a reasonable amount of security($$) until it gets bigger at which further work will be done.

As the servers are located internally with business lan, the web server will be moved into a DMZ, with the correct ports open\closed.

So the question, should the sql server stay within the Lan of move to the DMZ? I think it makes sense to keep the db in the Lan separating the concerns, what does everyone else think?

*Remember I'm looking at reasonable amount of security at this stage additional internal firewalls are not on the cards at this stage.

D-W
  • 321
  • 1
  • 5
  • 11
  • http://security.stackexchange.com/questions/8861/what-is-the-best-practice-for-placing-database-servers-in-secure-network-topolog – Deer Hunter Oct 24 '14 at 09:07

1 Answers1

1

In my experience, the worst option would be store the DB in the DMZ, as this has the greatest surface area, so definitely keep it on the internal LAN - as I'm sure is explained in the article in the comment, a better model would be to have the DB server(s)on their own network segment as this will subsequently allow better traffic analysis, but as you mention that additional firewalls aren't on the cards yet, might you be able to VLAN them into a new segment with your existing infrastructure?

Goes without saying, but would HIGHLY recommend the CIS hardening standards are applied to your Web and DB server - I know you only asked about segmentation but if you are looking at security, these are a good, free way to get started on the configs:

http://benchmarks.cisecurity.org/downloads/

greko
  • 11
  • 1