Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3445
Views
5
Helpful
1
Replies

How to design DMZ network and Internal network?

wcpon_cisco
Level 1
Level 1

‎09-02-2012 06:58 PM - edited ‎03-03-2019 06:44 AM

Hi Guys,

I'm facing some problem to design my network, hope to get some advice over here..

Please find my current design below...

Current design,

             Fortigate Firewall

                        | |

                 Cisco 3750

             ||                    ||

      Cisco 2960     Cisco 2960

      (VLAN 10)       (VLAN 20)

My web server or application server located at VLAN 10, and my database server located at VLAN 20...

My web server or application server need to communicate with my database server all the time.. (example, user login, authetication, transaction record and etc)

Normal design for the network, web server should place to DMZ network.. because it is face to public network... (untrusted network)....

Database server should be under Internal network. (trusted network)

After the research from the web, DMZ should not be communicate with the internal network (Database server) due with the security concern...

In order the web server (DMZ) communicate to database server, what is the best practise to setup this network?

Should I place the database server to DMZ network as well??

Looking forward to get some expert advice.

Appreciate it...

Thanks.

Labels:
0 Helpful
1 Reply 1

Marwan ALshawi
VIP Alumni
VIP Alumni

‎09-03-2012 03:32 AM

Well this is depends on the security policy you have

However the option you mention is one possible best practice solution where you place the web server in the DMZ and the DB server in the internal network and only permit the required ports for server to server from DMZ to the DB server

Another option you create two DMZs zones one for the web less secure and another for the DB more secure and allow only the required ports between these two zones and this is more secure because in the case of one of the servers got compromised won't effect your inside network and keep it isolated

Hope this help

Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents