On Sunday 19 April 2009 18:08:10 LLLActive@GMX.Net wrote:
Yes, I thought of that. Maybe using separate NIC's between the two machines in a separate private network all by themselves will do. If the webserver is compromised, the all is also comprimized.
Just how does one get such a setup secure, without putting your data in the DMZ?
Internet -- firewall 1 -- DMZ with Webserver -- firewall 2 -- Database server
Normally you do put the data in the DMZ. Enough for your web needs, at least. Your main database can then be on the internal network, and your DMZ then has a data pump to feed it, in some fashion. Ideally this would be a "push only" connection, with no inbound connections allowed at all, so that the internal server synced with the external machine regularly through some data transfer protocol. For optimal security, there would be no connection to the internal network allowed at all, in either direction. The data would then be synced manually, perhaps by copying it on a USB device. It all depends on how much effort you want to go to, how much your security is worth. Very high security requires effort. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org