SQL Server in separate DMZ with software firewall...

  • swjohnson

    Hall of Fame

    Points: 3254

    Just curious to see how many out there have their DB's in a separate DMZ with it's own firewall.  A DMZ within a DMZ so to speak. 

    My network admin now wants us to have all the DB servers in a separate DMZ within our current web DMZ.  He is also wanting to use a software firewall (ZoneLabs or Norton) on the SQL server (which I just know will kill performance). 

    Your thoughts and experiences would be helpful. 




  • K. Brian Kelley

    SSC Guru

    Points: 114486

    I understand the rationale... if a web server is compromised he is trying to protect the SQL Servers, too. One of the things some folks do is make heavy use of IPSEC policies to limit a servers surface area. You can do that with your SQL Server, but I think the estimate is about a 20% hit in performance. If you've got Windows Server 2003 servers, there is a firewall capability already built-in. I'd look at leveraging both IPSEC and built-in firewalls before going to a software firewall. But either way you go, you're going to take a performance hit. I don't know the statistics on the software firewalls, but it can be more than you want to bear.

    To be perfectly honest, if your network admin wants to go this route, I'd look at a hardware firewall. The low-end PIX firewalls are < $500. The new ASA firewalls from Cisco are supposed to be able operate at layer 2, meaning no changes would be needed on the IP address side. A bit more expensive, yes, but a more optimal solution, especially if you have multiple SQL Servers you want to protect.

    K. Brian Kelley

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply