Re: where to put SQL Server ? by Karl
Karl
Fri May 21 06:14:59 CDT 2004
"Robert Moir" <RobertMoir@discussions.microsoft.com> wrote in message
news:82F7FE43-59D9-42B6-A59A-5D658DD3A5FE@microsoft.com...
> Hi Hernán,
> In general, I always think its best not to expose any more of your network
to the outside than you have to, which suggests putting your SQL server on
your LAN rather than exposing it to the web directly.
>
> But with the specifc case you mention here of it having to talk to a web
app, I would have to say that seperate "subnets" don't mean very much
without a better idea of how traffic is routed and protected between these
subnets. Can you explain a bit more please?
Agreed, I'm not sure what "web subnet" means exactly.
If outside users are accessing your app from the Internet, a typical
security posture would be to put those servers on a DMZ. If you have both
Internet and Intranet users accessing the same application, I would think it
would be safer to not put the SQL database on the internal LAN, on the
premise that if the web server and/or the SQL server were hacked from the
Internet, they would have a hole into your internal network. If you do
that, and you have the resources, it might be sensible to use some sort of
IP filtering [firewall, IPSec filtering rules] to further separate the web
server from the SQL server, instead of just putting them on the same DMZ
subnet.
In some cases, depending on how your app is set up, it might be sensible to
have two different SQL servers on the Intranet and DMZ, with the Intranet
SQL server initiating replication at intervals. How much security you feel
you need is up to you.
You could certainly use IPSec. That would provide encryption to defeat
sniffing and man in the middle session hijacking, and possibly
authentication as well.