How an API application in DMZ should access a database with sensitive data in a LAN?

ronorono GSEC, GCIH, GMON - Blue teamPosts: 119Member ■■□□□□□□□□
Hello!

I'm creating an API that should be accessible from outside and will be reside in a server in DMZ. But this application should access our internal database (contains sensitive data) that is located in LAN.

For security reasons DMZ shouldn't have any acess into LAN. What should I do in this case?

LAN:

secure and controlled environment
database with sensitive data
not accessible from outside
DMZ:

insecure enviroment
webserver exposing an API
acessible from outside

Thanks
Mess with the best,Die like the rest!

Comments

  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    You could have a second DMZ (as a dedicated database network) which the API host in the DMZ would be allowed to connect to. This net would be separate from the internal LAN that has other general purpose servers or even client hosts.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ronorono GSEC, GCIH, GMON - Blue team Posts: 119Member ■■□□□□□□□□
    Thank you docrice!

    The rule set in my firewall should be then:
    Allow API-DMZ ->only DB-DMZ(drop all other traffic from API-DMZ to internal network range) and alow internal network range to access DB-DMZ?
    Mess with the best,Die like the rest!
  • docricedocrice Posts: 1,706Member ■■■■■■■■■■
    That's typically how it works. This is, of course, a generalization and not an absolute answer as there are likely other considerations when talking network design requirements.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • OctalDumpOctalDump Posts: 1,722Member
    The other thing I'd add is that the access granted to the API to the database should be restricted. Most DBMS allow you to restrict access to even field level. Generally you can restrict to some point with no performance hit, and then varying performance hit beyond that. You could also quarantine the data in a read only replica of the database, depending of course on what is needed. Deep design considerations, though.
    2017 Goals - Something Cisco, Something Linux, Agile PM
Sign In or Register to comment.