Re: Web server access of internal database

[Andrew Yeomans <andrew_yeomans () uk ibm com>]

Rick Horne writes:
> I'm looking for information on the best way to allow our web server to
> access an internal database.  We are beginning an Internet commerce
> site.  I've heard of several techniques:
> 1) The web server has wrapper/stub cgi programs that call cgi routines
> on a second external box that has permission to cross the firewall
> (a.k.a. a cgi reflector)
> 2) Move the web server inside and proxy it out to the Internet.
> 3) Export database to external server and allow web server to hit that db.

The simple answer is that there are no simple answers! It really depends
on what your function and security needs are, which requires some detailed
analysis. E.g. what happens if a component (server, etc) is compromised?
How does that affect overall system security?

Some questions: do you need read-only or read-write access to the
database? How frequently does the database need updating?
It might be OK to simply replicate a read-only copy of the database from
a protected master server, as you mention in 3). The recent IBM Olympics
mega-servers were using DFS to replicate the databases to web servers
around the world.

Performance is also a potential issue; having to go through multiple
servers, cgi-bin, etc may kill your performance. I saw some benchmarks
on transaction processing using a Microsoft server, which were limited to
only 10 process threads, which meant that it simply couldn't be used for
mainstream commerce. Not that everyone needs that, some sites are lucky
to get that number of hits an hour. So check that any solution will scale
to your needs.

I've seen solutions using different network protocols (e.g. SNA and a
private fast serial link) to connect the web server and the database,
so even if the web server gets compromised, there is no way that it has
access to the internal TCP/IP networks.

One other issue is software development time. IBM has made significant
investment in connector products, allowing much faster development
of SQL database and CICS interfaces, which mean your development is
much simpler. There are also Java programs which allow you to run your
own database applications on the client, for added functionality there.

If you want to see some examples and pictures, see "Java Network Security"
published in January by Prentice-Hall (I wrote the chapters on firewalls
and architectures, much of which generally applies, not just for Java.)

Andrew_Yeomans () uk ibm com,                      Installation Support Centre,
EMEA  Network  Computing  Software  and  e-business  Centre  of  Competence,
MP 3GS, IBM UK Ltd, 1 New Square, Bedfont Lakes, Feltham, Middlesex,TW14 8HB
Tel: +44-181-818-4288 Int: 36-4288 Fax: +44-181-818-5475 Pager: 01523-494985

"A program that has not been specified cannot be incorrect, it can only be
surprising."