Compliance Question regarding SQL and Firewalls


  • Hello,

    I just had a quick question that hopefully someone can help me with that has had experience with this.

    We have front end load balanced web servers in a DMZ that accept customer transactions invloving money.  In front of that we have an ASA.  Behind the web servers, on the inside, is another firewall, and then the SQL server sits on the other side of the internal firewall.  The SQL server does contain customer personal information that is deleted after a certain amount of time.  All information like credit cards are encrypted.

    My question revolves around the internal firewall.  Is that needed per compliance?  The reason I ask is I want to set up a back end connection from my web servers directly to the SQL server to remove any and all interference between the web and database layers to (hopefully) improve performance.  The back plane will be on a completely different network from that of the front end.  Is this safe or even allowed with us storing sensitive information?

    Thank you.

    • Düzenleyen Matt11380 15 Şubat 2012 Çarşamba 16:08
    15 Şubat 2012 Çarşamba 16:07

Tüm Yanıtlar

  • Matt;

    First, SCM and the security guidance that we produce are really focused on invidual products what you're asking about is network architecture, so this may not be the best place to ask your question.

    Second, compliance with what? With the FDCC? DISA STIGs? HIPAA? I have no idea what policies your organization needs to comply with or whether network architecture is part of what you need to address.


    Kurt Dillard

    15 Şubat 2012 Çarşamba 18:44
  • Thank you for the reply.  I will look around for more information.

    Also, it is PCI compliance.

    15 Şubat 2012 Çarşamba 19:40