Securing IIS and SQL Server as part of an online platform
How would you secure Internet Information Server (IIS) and SQL Server as part of new online banking platform? Members will connect to the Web server to conduct their online banking transactions. The SQL Server databases will contain member data as well as other sensitive data. The Web server will be in its own demilitarized zone (DMZ) and it will be a standalone server.
However, the SQL Server servers (and one middleware server) will be in our DMZ. I wasn't sure what the common practice is for domain membership for servers in DMZs. Just a high-level response would be okay. Should SQL be behind two firewalls and should Internet Protocol Security (IPsec) be used between IIS and SQL Server?
I personally would keep the DMZ machines as distant from your internal domain as possible. That means NOT putting them into the domain. Secure your IIS 5 server using the IIS Lockdown script from Microsoft. If you're using IIS 6, you're a lot more protected "out of the box". If you can upgrade the Web servers to IIS 6, go ahead and do so. The folks over at eEye have a nice little product called SecureIIS
that adds some protection and rudimentary IPS abilities to IIS. I've used it on IIS 5 but have no experience with that product on IIS 6.
If you have some dollars to spend, I would look at Entercept (now owned by McAfee). Their host-based IPS is really top notch, and will prevent known and anomalous (unknown) attacks. Check out SQLSecurity.com for help locking down your database. The site's maintainer, Chip Andrews, is the person who coined the phrase "SQL injection" and has been an authority on securing databases for almost a decade.
IPsec between the Web and the database is a fantastic idea but realize this only protects against someone sniffing traffic between the two. If someone compromises the Web server, the IPsec tunneled between it and the database will still be intact. In fact, it will aid in cloaking the activities of the attacker from any network signature-based IDS that you may have in the DMZ (such as Snort).
This was first published in May 2006