Firewall Wizards mailing list archives
Re: Database lookups across firewall
From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 16 Jun 1998 09:38:28 -0700
1) I don't see the extra protection in the second machine, assuming they're both on the DMZ. If you're saying that the second machine is inside, then that's worse, as you now have a web server on the DMZ able to execute CGI on an inside machine. 2) Really, really bad. Don't do this. When the web server gets compromised, it has full access to the inside because it's inside. 3) This is the choice I usually pick, if it's workable in your situation. Let me be a bit more specific, though. My favorite setup is to have an inside machine replicate/push the needed data out to the DMZ machine. Once it's there, the web server just does local lookups. This way, the inside machine gets to control when the connection is up, and acts as a client, reducing risk somewhat. One reason this arrangement wouldn't be workable is if the data gets updated too often to replicate. and I'll add one: 4) Allow the DMZ web server to do your favorite flavor of SQL lookup to an inside databse server. This has the advantage that the data is always up to date, and changes are reflected immediatly. Number 4 is my second choice. In any of the situations, what you're trying to protect is the database contents. If you have a DMZ server that has access to the data, and that server gets compromised, then the attacker has the data. There is no way around that. In situation number 3, they have only the data that's on the server, and hopefully you've kept the minimum amount possible out there. In situation number 4, they have access to possibly all the data on the whole database server, assuming there is more than just the stuff the web app uses. Depending on your firewall structure, they may also have part of a hole to the inside to play with. Ryan "Rick Horne" <rick_horne () hotmail com> on 06/15/98 09:21:36 AM Please respond to "Rick Horne" <rick_horne () hotmail com> To: firewall-wizards () nfr net cc: (bcc: Ryan Russell/SYBASE) Subject: Hello, I'm looking for information on the best way to allow our web server to access an internal database. We are beginning an Internet commerce site. I've heard of several techniques: 1) The web server has wrapper/stub cgi programs that call cgi routines on a second external box that has permission to cross the firewall (a.k.a. a cgi reflector) 2) Move the web server inside and proxy it out to the Internet. 3) Export database to external server and allow web server to hit that db. I know that many thousands of companies are doing commerce but I've been unable to find a best practices document or other such info. Thanks in advance for any comments, info, or pointers to where I can find some info. Rick ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 88256625.0023B254; Mon, 15 Jun 1998 23:29:54 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id XAA18742; Mon, 15 Jun 1998 23:27:38 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02566; Mon, 15 Jun 98 23:27:38 PDT Received: from nfr.net (tower.nfr.net [208.196.145.10]) by inergen.sybase.com (8.8.4/8.8.4) with ESMTP id XAA17370; Mon, 15 Jun 1998 23:29:01 -0700 (PDT) Received: (from lists@localhost) by nfr.net (8.8.8/8.8.8) id VAA00073 for firewall-wizards-outgoing; Mon, 15 Jun 1998 21:08:25 -0500 (CDT) Received: (from fwiz@localhost) by nfr.net (8.8.8/8.8.8) id VAA00063 for firewall-wizards () nfr net; Mon, 15 Jun 1998 21:08:18 -0500 (CDT) Received: from hotmail.com (f33.hotmail.com [207.82.250.44]) by nfr.net (8.8.8/8.8.8) with SMTP id LAA26887 for <firewall-wizards () nfr net>; Mon, 15 Jun 1998 11:17:55 -0500 (CDT) Received: (qmail 4009 invoked by uid 0); 15 Jun 1998 16:21:37 -0000 Message-Id: <19980615162137.4008.qmail () hotmail com> Received: from 161.156.101.7 by www.hotmail.com with HTTP; Mon, 15 Jun 1998 09:21:36 PDT X-Originating-Ip: [161.156.101.7] From: "Rick Horne" <rick_horne () hotmail com> To: firewall-wizards () nfr net Content-Type: text/plain Date: Mon, 15 Jun 1998 09:21:36 PDT Sender: owner-firewall-wizards () nfr net Precedence: bulk Reply-To: "Rick Horne" <rick_horne () hotmail com>
Current thread:
- Re: Database lookups across firewall Ryan Russell (Jun 16)
- <Possible follow-ups>
- Re: Database lookups across firewall Ryan Russell (Jun 17)