Educause Security Discussion mailing list archives
Re: firewall requirements for applications
From: Jason Testart <jatestart () UWATERLOO CA>
Date: Wed, 1 Sep 2010 15:51:42 -0400
Another issue is user accountability. Assuming the password is embedded in the exe, what logging/controls do you have on *who* is accessing the data? The share at least (hopefully) provides some measure of user-level access control where the exe file itself likely does not (and if it does, could be more easily defeated). You need to really understand what controls are in place on the database itself, because it is indeed all about the risk. On 9/1/2010 2:55 PM, Joel Rosenblatt wrote:
Does the application contain somewhere in the code the password to access the database?Lot's of the fat client applications do this, in which case if the bad guys get access to the module, some reverse engineering will give them access to your database server.Limiting access to the DB will help, but a hop attack (break into a local machine, access from there) may defeat this.If your application requires some type of strong authentication outside of having access to the module, then you could make the case that you have mitigated the risk. Remember to do your security in layers.Your access to the ERP is most likely protected by strong (or not so strong) authentication. A hack attempt will have to be done against the server and cannot be done offline. This makes a lot more noise that (hopefully) someone will notice.It's all about the risk :-) Good luck. Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Wednesday, September 01, 2010 1:13 PM -0500 "Shalla, Kevin" <kshalla () UIC EDU> wrote:We have an application that currently is protected by a firewall. The application (Windows executable) resides on a file share, and data on a database server. Managing the firewall for this application causes quite a bit of grief. I recently asked why we needed to keep it behind the firewall, considering that we've got much more confidential data (our main ERP), which is available through any web browser and java to any computer on the Internet. Is there some valid increased security risk to allowing access to a Windows executable versus a java application?Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
-- Jason A. Testart, BMath | Voice: +1-519-888-4567 x38393 Manager, IT Security | Fax: +1-519-884-4398 Information Systems and Technology | http://ist.uwaterloo.ca/security University of Waterloo, Waterloo, Ontario N2L 3G1 CANADA
Current thread:
- firewall requirements for applications Shalla, Kevin (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)
- Re: firewall requirements for applications Jason Testart (Sep 01)
- Re: firewall requirements for applications Kevin Wilcox (Sep 01)
- Re: firewall requirements for applications Charles Buchholtz (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)