Ask the Expert

Securing IIS and SQL Server as part of an online platform

How would you secure Internet Information Server (IIS) and SQL Server as part of new online banking platform? Members will connect to the Web server to conduct their online banking transactions. The SQL Server databases will contain member data as well as other sensitive data. The Web server will be in its own demilitarized zone (DMZ) and it will be a standalone server. However, the SQL Server servers (and one middleware server) will be in our DMZ. I wasn't sure what the common practice is for domain membership for servers in DMZs. Just a high-level response would be okay. Should SQL be behind two firewalls and should Internet Protocol Security (IPsec) be used between IIS and SQL Server?

    Requires Free Membership to View

I personally would keep the DMZ machines as distant from your internal domain as possible. That means NOT putting them into the domain. Secure your IIS 5 server using the IIS Lockdown script from Microsoft. If you're using IIS 6, you're a lot more protected "out of the box". If you can upgrade the Web servers to IIS 6, go ahead and do so. The folks over at eEye have a nice little product called SecureIIS that adds some protection and rudimentary IPS abilities to IIS. I've used it on IIS 5 but have no experience with that product on IIS 6.

If you have some dollars to spend, I would look at Entercept (now owned by McAfee). Their host-based IPS is really top notch, and will prevent known and anomalous (unknown) attacks. Check out SQLSecurity.com for help locking down your database. The site's maintainer, Chip Andrews, is the person who coined the phrase "SQL injection" and has been an authority on securing databases for almost a decade.

IPsec between the Web and the database is a fantastic idea but realize this only protects against someone sniffing traffic between the two. If someone compromises the Web server, the IPsec tunneled between it and the database will still be intact. In fact, it will aid in cloaking the activities of the attacker from any network signature-based IDS that you may have in the DMZ (such as Snort).

This was first published in May 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: