I just had a quick question that hopefully someone can help me with that has had experience with this.
We have front end load balanced web servers in a DMZ that accept customer transactions invloving money. In front of that we have an ASA. Behind the web servers, on the inside, is another firewall, and then the SQL server sits on the other side
of the internal firewall. The SQL server does contain customer personal information that is deleted after a certain amount of time. All information like credit cards are encrypted.
My question revolves around the internal firewall. Is that needed per compliance? The reason I ask is I want to set up a back end connection from my web servers directly to the SQL server to remove any and all interference between the web and
database layers to (hopefully) improve performance. The back plane will be on a completely different network from that of the front end. Is this safe or even allowed with us storing sensitive information?