Q

Preventing Web database access with a triple-homed firewall

Mike Chapple discusses database security best practices and how to protect against unauthorized Web access by using a triple-homed firewall.

This Content Component encountered an error

From a network topology perspective, what's the most effective way to ensure our database isn't accessed from the Web, either via search engines or otherwise?

Ask a question

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The best way to prevent access to your database from the Web is to completely block all access to your database from the Web, and verify you've done so successfully.

Using firewalls to prevent all direct access from the Internet to a database server is foremost among generally accepted database security best practices on the infosec landscape. The most common way of achieving these best practices is with a triple-homed firewall, as illustrated below:

Triple-Homed Firewall

Your database server, accessible only to systems within your organization, should be located in the intranet zone. The firewall should be configured in a manner that prohibits any direct access from the Internet to the intranet. 

You may, of course, wish to have database-driven Web applications that are publicly accessible. In that scenario, you should place the Web server in the DMZ, where it is accessible to users on the Internet and can access the database server on the intranet. The Web server then serves as a buffer between end users and the database server, prohibiting direct Web database access.

Finally, be sure to document and verify your configurations and ensure the network and database are hardened against attacks. Even the most securely designed network-database architecture can be defeated if firewall rules are misconfigured or important updates aren't applied. If your organization has database-driven Web applications, you should take care to ensure they have been hardened against SQL injection and similar attacks that might allow an attacker to leverage the Web server to gain access to the underlying database.

This was first published in July 2012

Dig deeper on Database Security Management-Enterprise Data Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close