none
Compliance Question regarding SQL and Firewalls

    Question

  • Hello,

    I just had a quick question that hopefully someone can help me with that has had experience with this.

    We have front end load balanced web servers in a DMZ that accept customer transactions invloving money.  In front of that we have an ASA.  Behind the web servers, on the inside, is another firewall, and then the SQL server sits on the other side of the internal firewall.  The SQL server does contain customer personal information that is deleted after a certain amount of time.  All information like credit cards are encrypted.

    My question revolves around the internal firewall.  Is that needed per compliance?  The reason I ask is I want to set up a back end connection from my web servers directly to the SQL server to remove any and all interference between the web and database layers to (hopefully) improve performance.  The back plane will be on a completely different network from that of the front end.  Is this safe or even allowed with us storing sensitive information?

    Thank you.


    • Edited by Matt11380 Wednesday, February 15, 2012 4:08 PM
    Wednesday, February 15, 2012 4:07 PM

All replies

  • Matt;

    First, SCM and the security guidance that we produce are really focused on invidual products what you're asking about is network architecture, so this may not be the best place to ask your question.

    Second, compliance with what? With the FDCC? DISA STIGs? HIPAA? I have no idea what policies your organization needs to comply with or whether network architecture is part of what you need to address.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, February 15, 2012 6:44 PM
    Owner
  • Thank you for the reply.  I will look around for more information.

    Also, it is PCI compliance.

    Wednesday, February 15, 2012 7:40 PM