Should a webserver in the DMZ be allowed to access MSSQL in the LAN?

Posted by Allen on Server Fault See other posts from Server Fault or by Allen
Published on 2010-03-24T16:53:29Z Indexed on 2010/03/24 17:03 UTC
Read the original article Hit count: 601

Filed under:

dmz

|

networking

|

lan

This should be a very basic question and I tried to research it and couldn't find a solid answer.

Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO).

Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN.

So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.

© Server Fault or respective owner

Related posts about dmz

Cisco Multi-DMZ firewall

as seen on Server Fault - Search for 'Server Fault'
I need to find a firewall that will give me 1 LAN port, and 5-7 DMZ ports. I have a requirement to replace some FreeBSD systems that are used to run some testing equipment. It is essential that the DMZ ports cannot communicate with each other, but the LAN port can communicate with everyone. That… >>> More
Proper Network Infastructure Setup DMZ, VPN, Routing Hardware Question

as seen on Server Fault - Search for 'Server Fault'
Greetings Server Fault Universe, So here's a quick background. Two weeks ago I started a new position as the systems administrator for an expanding health services company of just over 100 persons. The individual I was replacing left the company with little to no notice. Basically, I have inherited… >>> More
Should a webserver in the DMZ be allowed to access MSSQL in the LAN?

as seen on Server Fault - Search for 'Server Fault'
This should be a very basic question and I tried to research it and couldn't find a solid answer. Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the… >>> More
What is DMZ in networking?

as seen on Stack Overflow - Search for 'Stack Overflow'
I have to configure a Java application which is hosted in side a corporate network. So what is DMZ and how to get through to expose the services? >>> More
Cisco PIX 8.0.4, static address mapping not working?

as seen on Server Fault - Search for 'Server Fault'
upgrading a working Pix running 5.3.1 to 8.0.4. The memory/IOS upgrade went fine, but the 8.0.4 configuration is not quite working 100%. The 5.3.1 config on which it was based is working fine. Basically, I have three networks (inside, outside, dmz) with some addresses on the dmz statically mapped… >>> More

Related posts about networking

Networking stopped working on Ubuntu

as seen on Super User - Search for 'Super User'
I installed Ubuntu 10.04 through the Wubi installer (Funny, I installed it today and thought I would have gotten 10.10). I had a network connection and everything was working fine. I rebooted my coumputer a couple of times and then suddenly, I could not connect to the network and when I click the… >>> More
Troubles with start up defenition of networking service in Ubuntu

as seen on Super User - Search for 'Super User'
I use Ubuntu 12.04.1. I put attention that networking script starting in runlevel 0: user@comp:/etc/rc0.d$ chkconfig -l networking networking 0:on 1:off 2:off 3:off 4:off 5:off 6:off When I try to move it working to appropriate run levels I get error: user@comp:/etc/rc0… >>> More
Installing the Elgg Social Networking CMS

as seen on Internet.com - Search for 'Internet.com'
One Open Source CMS that stands out above the rest for small businesses and personal networks is the Elgg open source "social engine," which can be used to create social applications. Scott Clark shows you how to install and get started with this social networking CMS. >>> More
OAuth: Token-Based Authorization for the Social Networking Age

as seen on Internet.com - Search for 'Internet.com'
The OAuth token-based authorization system allows users to grant third-party access to their resources without sharing their usernames and passwords. It's perfect for the age of data scattered across many social networking sites. >>> More
OAuth: Token-Based Authorization for the Social Networking Age

as seen on Internet.com - Search for 'Internet.com'
The OAuth token-based authorization system allows users to grant third-party access to their resources without sharing their usernames and passwords. It's perfect for the age of data scattered across many social networking sites. >>> More