Production database needs to be accessed by a DMZ webserver

Hi, Guys.

We have a project in the office where the webserver hosted in the DMZ network needs to access a database server in the production(trusted network). Can you share your input how to secure this kind of setup? Will reverse proxy help or do you guys have a better solution? Both servers are running Windows server 2019.

Does a rule that this DMZ device can access this internal device at this port not suffice?

If we can additional security just to keep the database safe then it will be ideal.

There is not really a good way to secure it. You can add steps such as having a read-only database account if no writes are required. Either that or you can have a replicated database that the web server can access. One way or the other, if database access is required, then there is not really a good way to go around that.

Just to clarify, the webserver is on the DMZ and completely open to the public, but the database server is only on the local network and protected by the firewall. You’re wanting to secure the database server so that if anything compromises the webserver it can’t affect the database server or the rest of the internal protected LAN. Since both servers are connected to the internal network, firewall rules will have no effect as the traffic does not pass it.

I assume the webserver and database servers are multi-homed (more than one physical NIC) and have at least one port available. If not, it is easy enough to add. Put them on a network that only connects the two of them. As pretty much all NICs nowadays have Auto-MDIX, you can just run one patch cable between them and assign an IP and subnet mask only. Turn on the firewall (for that interface) on the database server, and only open the ports required for the database access. Only give the database account permissions on that specific database. Back the database up frequently so that if something happens, your data loss is minimal.

Does anyone else have suggestions on how to lock it down more?

Hi, RobR.

Thanks for the input, the machines are vm so adding NIC is easy but we don’t really want to have DMZ web server having a direct connection into production so that idea is out of the picture.

You can make a new vlan/network and put that database server there. Then lock down that network so that any traffic originating from that database server can only reach certain endpoints (such as update servers). Other traffic from the production network should still be able to make connections to it.

I would look into a 3 tier web app design for this setup. Most public websites consist of a web server, application server, and database server layer. Make sure only the web server can talk to the application server and the application server can talk to the database server. This will protect your database server from ever being reached from a compromised web server. Also, limit all new outbound sessions for the application and database server to only management type of flows such as backup, updates, and monitoring.