To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
There are two interesting security issues within your question: the best network location for the application and the appropriate level of access to grant remote users. You didn't mention anything about the sensitivity of the data included in your database, so I'm going to make the assumption that it's not unusually sensitive.
The placement of the application depends a bit upon the topology of the network. If your organization uses a virtual private network (VPN) and volunteers will be required to connect to the VPN before using the application, place the application's Web front-end in the same location where the VPN terminates. If this is your internal network, it's fine to place the Web front-end there.
If you don't plan to require a VPN connection, however, the DMZ is definitely the right choice, since it ensures that those accessing the application from the public Internet -- including those who attempt to access it without authorization -- won't be able to gain access to other applications or network resources.
The level of access granted to remote users should fall back upon the principle of least privilege; grant them only the access they need to get their jobs done. If there is no business requirement for users to modify data while off-site, there's no need to grant them those permissions. On the other hand, if they do need read access, there are many examples of organizations that expose database-driven applications to external users. Just be sure that you've thought about Web application security as well, since there are a whole other set of concerns involved with properly securing a hosted application.
More information:
A SearchSecurity.com member asks Mike Chapple, "Will there be DMZ routing issues if several firewalls serve as the default gateway?"
Get the latest DMZ news, tips and expert advice.
|
