Security and your network architecture

Can you provide some information regarding how your network architecture enforces security for a 3 tier (GUI, MT, DB) application?

I would prefer the following:

1) "Secured" DMZ where the Web server will reside. Outside (internet) access will be allowed on ports 80 and 443.
2) Secured network where the Database server will reside. Access from the DMZ will need to be restricted to traffic originating from the web server in the DMZ on port 1433.

What other security practices are in place that will help to prevent intrusion, specifically on the database server?

I will be storing encrypted customer, credit card, and transaction information.

 

If you open a port on the server, it's open. You can't say, "Okay, port 1433 is open, but only on the local network." Unless, of course, you block that port at the firewall, which would effectively make remote database management impossible.

Some ISPs block 1433, so we have an alternate port available on database servers. Likewise, the web servers have many open ports, by necessity. What you're looking for is not going to be available at any shared host that I know of.

If you are aiming for PCI compliance, it is possible without those restrictions. PCI compliance is a thorny issue where shared servers are concerned, however. You can certainly achieve it, many of our users have. Technically though, if you apply PCI rules strictly as they are written, no shared host qualifies. But in actual practice, you can usually claim compliance.