Should a webserver in the DMZ be allowed to access MSSQL in the LAN?

Posted by Allen on Server Fault See other posts from Server Fault or by Allen
Published on 2010-03-24T16:53:29Z Indexed on 2010/03/24 17:03 UTC
Read the original article Hit count: 538

Filed under:
|
|

This should be a very basic question and I tried to research it and couldn't find a solid answer.

Say you have a web server in the DMZ and a MSSQL server in the LAN. IMO, and what I've always assumed to be correct, is that the web server in the DMZ should be able to access the MSSQL server in the LAN (maybe you'd have to open a port in the firewall, that'd be ok IMO).

Our networking guys are now telling us that we can't have any access to the MSSQL server in the LAN from the DMZ. They say that anything in the DMZ should only be accessible FROM the LAN (and web), and that the DMZ should not have access TO the LAN, just as the web does not have access to the LAN.

So my question is, who is right? Should the DMZ have access to/from the LAN? Or, should access to the LAN from the DMZ be strictly forbidden. All this assumes a typical DMZ configuration.

© Server Fault or respective owner

Related posts about dmz

Related posts about networking