When should a database application be placed in a DMZ?

Mike Chapple explains the best network location for an important database application. Chapple also reveals the appropriate level of access to grant remote users.

Mike Chapple, University of Notre Dame

I'm working as a volunteer at a government museum. We've developed a database application that is available to our volunteers and staff when working within the Smithsonian Institution network. Now we'd like to also allow our registered users to access it from home so they can do their research there. Is a DMZ the proper place to put the application? If so, should the application only be a read-only copy of the internal interactive application?

There are two interesting security issues within your question: the best network location for the application and the appropriate level of access to grant remote users. You didn't mention anything about the sensitivity of the data included in your database, so I'm going to make the assumption that it's not unusually sensitive.

The placement of the application depends a bit upon the topology of the network. If your organization uses a virtual...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

private network (VPN) and volunteers will be required to connect to the VPN before using the application, place the application's Web front-end in the same location where the VPN terminates. If this is your internal network, it's fine to place the Web front-end there.

If you don't plan to require a VPN connection, however, the DMZ is definitely the right choice, since it ensures that those accessing the application from the public Internet -- including those who attempt to access it without authorization -- won't be able to gain access to other applications or network resources.

The level of access granted to remote users should fall back upon the principle of least privilege; grant them only the access they need to get their jobs done. If there is no business requirement for users to modify data while off-site, there's no need to grant them those permissions. On the other hand, if they do need read access, there are many examples of organizations that expose database-driven applications to external users. Just be sure that you've thought about Web application security as well, since there are a whole other set of concerns involved with properly securing a hosted application.

More information:

A SearchSecurity.com member asks Mike Chapple, "Will there be DMZ routing issues if several firewalls serve as the default gateway?"

Get the latest DMZ news, tips and expert advice.

This was last published in January 2009

Dig Deeper on Enterprise network security

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Cybersecurity threats on the rise, prey on human nature

Trustwave security platform provides visibility, control

Hackers earn nearly $2M in HackerOne's hacking event

Black Hat 2019 brings out new security, protection offerings

Cybersecurity threats on the rise, prey on human nature

Trustwave security platform provides visibility, control

Hackers earn nearly $2M in HackerOne's hacking event

Black Hat 2019 brings out new security, protection offerings

security information and event management (SIEM)

Can a read-only domain controller maximize DMZ security?

Do DMZ networks still provide security benefits for enterprises?

Can a read-only domain controller maximize DMZ security?

How does the resurgent VPNFilter botnet target victims?

CISOs face the IoT security risks of stranger things

Stranger things: IoT security concerns extend CISOs' reach

security information and event management (SIEM)

How do network management systems simplify security?

The fundamentals of designing a secure network

How to set up SFTP automation for FTP/DMZ transfer

Secure DMZ Web server setup advice

Please create a username to comment.

Defining and evaluating SOC as a service

How to beef up S3 bucket security to prevent a breach

How security teams benefit from traffic mirroring in the cloud

3 potential multi-cloud challenges that could go unnoticed

After ransomware virus, Merck's medicine was network automation

Prep for SD-WAN challenges, and you'll reap its rewards

Adobe, Uber on the challenges of digital transformation

Cloud migration failures and how to prevent them

Achieving business value from cognitive collaboration

Troubleshoot Bluetooth connection problems in Windows 10

HP Inc. laying off up to 9,000 workers in latest reorg plan

AI sharpens unified endpoint management tools and apps

6 long-term plans to add to cloud cost optimization strategies

IaaS vs. PaaS options on AWS, Azure and Google Cloud Platform

5 best practices for choosing cloud developer tools

Commvault adds Metallic SaaS backup and Hedvig features

Huawei defies US ban with rising revenues in third quarter

5G awareness and interest high but consumers struggle to see benefits

Related Resources

Dig Deeper on Enterprise network security

Related Q&A from Mike Chapple

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.