Home
Certification Preparation
GIAC
How an API application in DMZ should access a database with sensitive data in a LAN?
rono
Hello!
I'm creating an API that should be accessible from outside and will be reside in a server in DMZ. But this application should access our internal database (contains sensitive data) that is located in LAN.
For security reasons DMZ shouldn't have any acess into LAN. What should I do in this case?
LAN:
secure and controlled environment
database with sensitive data
not accessible from outside
DMZ:
insecure enviroment
webserver exposing an API
acessible from outside
Thanks
Find more posts tagged with
Comments
docrice
You could have a second DMZ (as a dedicated database network) which the API host in the DMZ would be allowed to connect to. This net would be separate from the internal LAN that has other general purpose servers or even client hosts.
rono
Thank you docrice!
The rule set in my firewall should be then:
Allow API-DMZ ->only DB-DMZ(drop all other traffic from API-DMZ to internal network range) and alow internal network range to access DB-DMZ?
docrice
That's typically how it works. This is, of course, a generalization and not an absolute answer as there are likely other considerations when talking network design requirements.
OctalDump
The other thing I'd add is that the access granted to the API to the database should be restricted. Most DBMS allow you to restrict access to even field level. Generally you can restrict to some point with no performance hit, and then varying performance hit beyond that. You could also quarantine the data in a read only replica of the database, depending of course on what is needed. Deep design considerations, though.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
