Need help w/ multi homed server

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I'm setting up a new web application server that hosts an ASP.NET
application we built that uses SQL Server as its backend.

We have two NICs in this machine that will be hosting this app. We have
three zones in the network i.e. internal network, DMZ and Internet. I'd like
to set this server up as a multi homed server and put one NIC in the internal
network and one in the DMZ. I'd like to use the internal NIC for SQL Server
access and use the NIC in the DMZ for accessing the application through IIS.

My question: is there anything special I need to do for this setup? I'll
assign a DMZ IP to the NIC in the DMZ and setup the web site that will be
hosting the ASP.NET app with that IP.

I'll then assign an internal IP to the NIC that's on the internal network.
Our SQL Server is on the internal network so the app server should
automatically connect to SQL Server through the NIC w/ internal IP.

However, because I've never setup a multi homed server before, I want to
make sure I'm doing the right things here. Is there anything special I need
to do to make sure that connection to SQL Server will be through the NIC w/
internal IP?
 
Sam said:
Hi,

I'm setting up a new web application server that hosts an ASP.NET
application we built that uses SQL Server as its backend.

We have two NICs in this machine that will be hosting this app. We have
three zones in the network i.e. internal network, DMZ and Internet. I'd like
to set this server up as a multi homed server and put one NIC in the internal
network and one in the DMZ. I'd like to use the internal NIC for SQL Server
access and use the NIC in the DMZ for accessing the application through IIS.

My question: is there anything special I need to do for this setup?
Click to expand...

No, nothing special, as long as there is only one Default Gateway and it is
the correct one pointing to the Internet. You also want to make sure
"routing" is off and that only the LAN Nic has Client for MS Networking and
File&Print Sharing. The other Nics should have *only* TCP/IP.
 
Personally, I wouldn't use the type of setup you described at all, instead I
would setup the webserver with a single NIC on the DMZ. I would then setup
port forwarding on the router to forward SQL requests (port 1433 - assuming
it's a MS SQL server) from the webserver, and only the webserver to the SQL
server.

The setup you are describing defeats the purpose of setting up a DMZ. Should
someone gain root access to the webserver or compromise it in some way then
you have just opened the door wide open to your internal private network.
Imagine someone gains control of the webserver and installs a packet sniffer
on that machine, under certain circumstances, they will be able to map out
your network and read any unencrypted traffic.

I believe your setup would fail a security audit if you have confidential
data for which you have a fiduciary responsibility to protect.

If the router you are using for your setup does not provide that level of
functionality then I would look at investing in a commercial grade router /
hardware firewall such as those offered by SonicWALL (www.sonicwall.com) or
by setting up a quality software firewall such as Check Point
(www.checkpoint.com) offerings.

James
 
Back
Top