Wednesday, March 7, 2012

IIS and SQL 2005

I need to have my web server IIS 6 access our database SQL2005. Our web
server holds other web sites so I would like to leave it in the DMZ and the
SQL in the lan. From what I have heard this is not the best method. Has
anyone done this. Is there a better way.
ThanksHello royst,

> I need to have my web server IIS 6 access our database SQL2005. Our
> web server holds other web sites so I would like to leave it in the
> DMZ and the SQL in the lan. From what I have heard this is not the
> best method. Has anyone done this. Is there a better way.
Sometimes is design is about the only secure method making it work. The prob
lem
with it is that its lower perf that having the SQL Server in DMZ because
of need to connect back through a firewall. You may also have to use standar
d
logins, but as long as you're taking reasonable steps to secure your DMZ
to LAN connection, that's probably an acceptable risk.
Thanks!
Kent Tegels
DevelopMentor
http://staff.develop.com/ktegels/|||Thanks Kent
The performance is not an issue. Security on the other hand is. I have
reservations on opening up SQL ports on my firewall. Just tring to find a
more secure way to do this with IIS in the DMZ and SQL in the local Lan.
"Kent Tegels" wrote:

> Hello royst,
>
> Sometimes is design is about the only secure method making it work. The pr
oblem
> with it is that its lower perf that having the SQL Server in DMZ because
> of need to connect back through a firewall. You may also have to use stand
ard
> logins, but as long as you're taking reasonable steps to secure your DMZ
> to LAN connection, that's probably an acceptable risk.
> Thanks!
> Kent Tegels
> DevelopMentor
> http://staff.develop.com/ktegels/
>
>|||Hello royst,
If you have a decent firewall, you should be able to restrict by address
who can initiate a connection on port 1433. You could also require TLS or
SSL encryption on the connection for good measure with with performance impl
ications.
The alternative would be do some form of replication, but that leaves you
with a port (or set of them) open at some point.
Good luck,
kt
Posted by neutralbnmu at 7:26 AM
Labels: , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)