FTP with one wM IS only in DMZ

I know this topic has been discussed to death already on here and the preferred approach is reverse invoke. However, we have setup where we have an IS server only in the DMZ for interface processing. Files are dropped on the WM IS server and is then processed. WM will read the files and update the database which is residing behind the internal firewall. All the login id and passwords can be encrypted in a config file on the WM IS server. This is similar to an web server that faces the internet and updates the application db behind the firewall. It does not appear that this is commonly done so I am interested in hearing what the problem would be with this approach.

An alternative approach we are also looking at is having WM IS behind the internal firewall and having an FTP server in the DMZ. Files will be dropped on this FTP server and WM will pick it up and process as usual.

Any thoughts…?

There is nothing inherently wrong with the approach.

The issue of doing any sort of processing in the DMZ is that if the ‘bad guy’ is able to break in to the DMZ, there is more for them to access. If you allow access to your database from the DMZ, then the bad guy may be able to access it as well. If you only have a proxy or relay server in the DMZ, then only transient data is available. Many companies have multiple DMZ/firewalls configurations.

I would consider your alternate approach a bit more secure since no direct connections are made to the database from the DMZ. You could also do something like this with a reverse invoke server.

There are no definites in this area, the solution depends on the threat environment and how much you are willing to spend on hardware/resources.

From a security standpoint, whatever solution you come up with should be a solution that only requires outbound holes in the firewall. Theoretically, if you allow an inbound hole in your firewall, then a good hacker could get anywhere inside your internal network via that hole, not just to the database. Reverse invoke requires outbound holes only, so the rest of the internal network is not in as much jeopardy there. Your solution where the FTP server is on the outside is better than having the WM on the outside pointing in, since this sounds like only outbound holes in the firewall are required.
The FTP on the outside does require that the files will be temporarily stored outside the internal network on the way in, which some companies see as a security exposure. Again, this all depends on the security requirements of your org.