Should a webserver in the DMZ be allowed to access MSSQL in the LAN?
Posted
by Allen
on Server Fault
See other posts from Server Fault
or by Allen
Published on 2010-03-24T16:53:29Z
Indexed on
2010/03/24
17:03 UTC
Read the original article
Hit count: 538
This should be a very basic question and I tried to research it and couldn't find a solid answer.
Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO).
Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN.
So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.
© Server Fault or respective owner