EXPERT RESPONSE
I personally would keep the DMZ machines as distant from your internal domain as possible. That means NOT putting them into the domain. Secure your IIS 5 server using the IIS Lockdown script from Microsoft. If you're using IIS 6, you're a lot more protected "out of the box". If you can upgrade the Web servers to IIS 6, go ahead and do so. The folks over at eEye have a nice little product called SecureIIS that adds some protection and rudimentary IPS abilities to IIS. I've used it on IIS 5 but have no experience with that product on IIS 6.
If you have some dollars to spend, I would look at Entercept (now owned by McAfee). Their host-based IPS is really top notch, and will prevent known and anomalous (unknown) attacks. Check out SQLSecurity.com for help locking down your database. The site's maintainer, Chip Andrews, is the person who coined the phrase "SQL injection" and has been an authority on securing databases for almost a decade.
IPsec between the Web and the database is a fantastic idea but realize this only protects against someone sniffing traffic between the two. If someone compromises the Web server, the IPsec tunneled between it and the database will still be intact. In fact, it will aid in cloaking the activities of the attacker from any network signature-based IDS that you may have in the DMZ (such as Snort).
|
