Web Server in DMZ accessing Database in Internal Network

At the moment I have an Intranet web server with Apache2 (WS). The web server provides the web pages for an erp system. The data of the erp system is on a DRBD Cluster File Server (CFS), with a NFS4 export of the directory of the database. The WS has the NFS4 mounted as a directory, in which the data files for the database was placed during database installation.

Internal-CFS (NFS4 export /Data) → Internal-WS (NFS4 mount /Data)

I now want to present the WS to Internet access via DMZ, but keep the Data Base (CFS) safe in the Internal Network.

What is the standard way to set up a system where the WS is in the DMZ and the Data in the Internal Network on a File Server not accessable from Internet or DMZ, but only by the WS to get the Data.

Internet–> FW1 → DMZ-WS → FW2 → Internal-CFS (NFS4 /Data)

If you cannot use a firewall pinhole, then you have to write some kind of proxy service using SOAP, JSON, or what have you.

If the sysadmin has protected the database from DMZ access in the manner you describe, there’s probably a good reason for it, probably it’s regarded as too dangerous to expose the database port, so you would have to go through some intermediary.

Or if the database information is not that sensitive, then put a database server in the DMZ.

The Data is on the main File Server, too sensitive for DMZ.

I have read of a 3 NIC SuSEfirewall2 setup, where the one card is declared EXT, another DMZ, and the third INT. The DMZ NIC is on a switch to the WS, and the Internal NIC on a switch to the Internal Network where the CFS with the data lives.

I believe to have read that in such a case linking between the DMZ and Internal Network is easily opened for DMZ machines that need access, e.g. the NFS4 Share. Is the NFS4 Share then not open to the DMZ in general?. How do I protect the NFS4 Share from EXT? Could it be configured to be only open to the WS on DMZ-NIC and no one else in the DMZ or EXT at all, or am I on a wrong track?

How is this set up in YaST of SuSEfirewall2?

NFS is rather tricky to allow through a firewall, because several services are involved, and some of them are on floating ports, though a couple can be pinned down to fixed ports.

I think tunneling the NFS across the firewall is dangerous, because there is no differentiation between the various databases contained in it. Why not just tunnel the database server port?

In fact, what do you mean by a database anyway? Do you mean just a bunch of files or as people usually understand the term, a relational database? If just a bunch of files, perhaps you need some kind of intermediary proxy to allow only certain operations on the files.

I am assuming that you are using a database that can be connected to via standard database access mechanisms such as ODBC/JDBC/native drivers etc. The web application you use under apache may provide one of the methods mentioned here to connect to the database. In almost all databases, network based access involves, listening on a TCP port and the clients can connect through that port. You should open up that TCP port in the firewall only for the interface that is connected to the internal network where the database machine is located.

In a properly secured environment, the database machine can have 2 independent NICs that can serve internal and external (connections from DMZ) client connections. Typically, you may use encryption on the these connections to make them more secure.

Yea, you both have a point.

I know the setups with SAP; AppServer & DBServer separate (syampillai’s method, and ken_yap server port).

At the moment it is just a webserver with a cache-SQL (Intersystems) configured on the same server. I wanted to include the Data on the main Backup off the CFS, then used the NFS Share from the CFS as a mount during the local installation of the cache database on the WS. I’m not sure yet if another setup on 2 separate servers is possible - I’ll have to check.

It’s ken_yap’s point that made me hesitate with the NFS-Share over the Firewall. Fortumately, only one Data Base is on the NFS-Share; I can risk it in the short run, till I found the proper way by tunneling the database server port.

If the NFS4 is tricky (though dangerous - will redo it later with a server port), what sould I look for to get it through the firewall?

Besides the NFS port, you also need to allow portmap (rpcbind), and mountd. That last needs to be pinned to a fixed port, see /etc/sysconfig/nfs.

Thanx you both for the info.

I just spoke to the Database builders (Intesystems). I will re-install the present single server solution of web server and database server on one box onto two seperate boxes. The Webserver in the (DMZ) then becomes a (csp-)gateway to the database application server (INT) over the firewall, where only this ip-address (or MAC) and port should be opened. I like the idea of 2 NIC’s on the Databse Server.

What is the safest way to do this in SuSEfirewall2?

Uh, what I ment is what is the safest way to configure the IP (incl MAC and Port) in SuSEfirewall2 (with or without YaST)?

Read through /etc/sysconfig/SuSEfirewall2, you will see that it allows you to specify the allowed addresses, port, and protocol in each rule. I believe you can also edit the rules from YaST. I don’t use SuSEfirewall2 though, my SUSE machines are behind a firewall and I don’t export NFS through firewalls. I did something similar at work, but that was a RHEL server and I entered bare iptables rules at the CLI.

I too don’t use SuSEfirewall mainly because it generates complex (not that human readable) rules. However, if you know iptables and what you really want to achieve, you can define them yourself. Security is a very tricky business and if you don’t know what you are doing, you have to get it reviewed by someone who know about it.

However, SuSEfirewall interface in the Yast is pretty easy to use.