Q

Securing IIS and SQL Server as part of an online platform

Learn how to protect the platform between your database and the web beginning with keeping your DMZ machines as distant from your internal domain as possible.

How would you secure Internet Information Server (IIS) and SQL Server as part of new online banking platform? Members will connect to the Web server to conduct their online banking transactions. The SQL Server databases will contain member data as well as other sensitive data. The Web server will be in its own demilitarized zone (DMZ) and it will be a standalone server. However, the SQL Server servers (and one middleware server) will be in our DMZ. I wasn't sure what the common practice is for domain membership for servers in DMZs. Just a high-level response would be okay. Should SQL be behind two firewalls and should Internet Protocol Security (IPsec) be used between IIS and SQL Server?
I personally would keep the DMZ machines as distant from your internal domain as possible. That means NOT putting them into the domain. Secure your IIS 5 server using the IIS Lockdown script from Microsoft. If you're using IIS 6, you're a lot more protected "out of the box". If you can upgrade the Web servers to IIS 6, go ahead and do so. The folks over at eEye have a nice little product called SecureIIS that adds some protection and rudimentary IPS abilities to IIS. I've used it on IIS 5 but have no experience with that product on IIS 6.

If you have some dollars to spend, I would look at Entercept (now owned by McAfee). Their host-based IPS is really top notch, and will prevent known and anomalous (unknown) attacks. Check out SQLSecurity.com for help locking down your database. The site's maintainer, Chip Andrews, is the person who coined the phrase "SQL injection" and has been an authority on securing databases for almost a decade.

Alerte Email

Inscrivez-vous pour recevoir régulièrement toute l’actualité IT.

Safe Harbor

IPsec between the Web and the database is a fantastic idea but realize this only protects against someone sniffing traffic between the two. If someone compromises the Web server, the IPsec tunneled between it and the database will still be intact. In fact, it will aid in cloaking the activities of the attacker from any network signature-based IDS that you may have in the DMZ (such as Snort).

This was first published in May 2006

Dig deeper on SQL Server Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchDataCenter

SearchDataManagement

SearchAWS

SearchOracle

SearchContentManagement

SearchWindowsServer

Close