A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?
Trap 1: Place both the web server and the database server in the same DMZ…
Placing the database server in the same DMZ as the web server exposes it to any attacker who compromises the web server, and host-based firewalls can be misconfigured or bypassed. The database should be in a more secure internal zone.
Trap 2: Connect both servers to a single internal VLAN and use a reverse…
Putting both servers on the same internal VLAN removes network segmentation. If the web server is compromised, the attacker gains direct access to the database. A reverse proxy helps protect the web server but does not isolate the database.
Trap 3: Use a site-to-site VPN to connect the web server and database…
A site-to-site VPN is typically used to connect separate networks securely, not to segment internal resources. Placing both behind NAT still exposes the database if the web server is breached, because there is no firewall rule limiting database access to only the web server.
- A
Place both the web server and the database server in the same DMZ segment and rely on host-based firewalls for protection.
Why wrong: Placing the database server in the same DMZ as the web server exposes it to any attacker who compromises the web server, and host-based firewalls can be misconfigured or bypassed. The database should be in a more secure internal zone.
- B
Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.
This architecture follows the principle of defense in depth. The DMZ provides an additional security layer for the web server, while the database is isolated on the internal network with a restrictive firewall rule that limits access to only the web server, reducing the attack surface.
- C
Connect both servers to a single internal VLAN and use a reverse proxy to forward external traffic to the web server.
Why wrong: Putting both servers on the same internal VLAN removes network segmentation. If the web server is compromised, the attacker gains direct access to the database. A reverse proxy helps protect the web server but does not isolate the database.
- D
Use a site-to-site VPN to connect the web server and database server, and place both behind a single NAT gateway.
Why wrong: A site-to-site VPN is typically used to connect separate networks securely, not to segment internal resources. Placing both behind NAT still exposes the database if the web server is breached, because there is no firewall rule limiting database access to only the web server.