Hi all,

I need your opinions on this situation I'm facing:

I have to set up a public IIS server for a new "webapp" we're buying .
Currently, I'm running an apache server on an openbsd machine in a dmz.
The apache/openbsd box is staying, IIS another box..

Now given IIS security history (heh, just in this past week!), I'm a bit wary. Setting up an IIS webserver in the DMZ in itself doesn't concern me that much, but the catch is it will need access through SMB (either NBT (tcp 137-139) or SMB over TCP (445)) to database files stored on the main server, which is in the private network... URGH!!!, yeah, it sucks.

Still, I have to deal with it.
So I was thinking, I have 2 alternatives:
1- IIS server in DMZ, allow TCP 445 from that host back into private net (only to DB server), possibly setup SSH tunnel or IPSec between the 2 hosts.

2- Have a Squid proxy in the DMZ filter and forward http requests back into the private net to the IIS server, so the IIS server would be inside the private net, but in a restricted subnet that would have only access to SMB to the DB server.

So, which one do you figure exposes less, or would be harder to compromise and less likely to be able to use the IIS server as a stepping stone to further compromise the internal network?

TIA

Ammo