Firewall Wizards mailing list archives
Re: Database lookups across firewall
From: "Ryan Russell" <ryanr () sybase com>
Date: Wed, 17 Jun 1998 08:57:45 -0700
I'll assume you didn't CC the list because you may have thought I'd
take this as criticism. I don't. I'm CCing the list on the reply because
I think it's good information.
You make an excellent point, and your design of having the DB server
in another DMZ of sorts is superior.
When I listed my options, I unthinkingly left out the more secure option
that you've listed, because many people, unfortunatly, aren't
willing or able to take the extra security measures. I've gotten
used to people claiming that the DB server can't be restricted from
the inside in any way.
Thanks for correcting me.
Ryan
Chad Schieken <cschieke () advsys com> on 06/17/98 08:18:15 AM
To: Ryan Russell/SYBASE
cc:
Subject: Re: Database lookups across firewall
In my pefect world we'd have a three legged beast-
1. the webserver is on a DMZ where all access (in and out) if
controlled via some type of firewall.
2. The webserver excutes code (CGI, ISAPI, NSAPI take your pick) to do
the database queries
1. the code is reviewed for holes
3. The database is on an a segment that is seperate from the webserver
and seperate from the internal networks
1. the only connections allowed are to the database for updates and
from the webserver for queries.
2. The database is updated incrementally whenever changes occur, or
or some interval if that makes more sense. But careful study is done
to determine the type of change activity and the intelligent way to
do this.
for host based security is implemented for defense in depth.
I do not reccomend that one allows direct queries from any external
host to any internal host, even if access is restricted to one port
between two IPaddresses and only one end can initiate connections.
The only way this works is if you really trust the security of the
setup of the database. I haven't found many DBA'a who understand
Intenet security. Normally they are too busy running damm good
databases.
1) I don't see the extra protection in the second machine, assuming they're both on the DMZ. If you're saying that the second machine is inside, then that's worse, as you now have a web server on the DMZ able to execute CGI on an inside machine. 2) Really, really bad. Don't do this. When the web server gets compromised, it has full access to the inside because it's inside. 3) This is the choice I usually pick, if it's workable in your situation. Let me be a bit more specific, though. My favorite setup is to have an inside machine replicate/push the needed data out to the DMZ machine. Once it's there, the web server just does local lookups. This way, the inside machine gets to control when the connection is up, and acts as a client, reducing risk somewhat. One reason this arrangement wouldn't be workable is if the data gets updated too often to replicate. and I'll add one: 4) Allow the DMZ web server to do your favorite flavor of SQL lookup to an inside databse server. This has the advantage that the data is always up to date, and changes are reflected immediatly. Number 4 is my second choice. In any of the situations, what you're trying to protect is the database contents. If you have a DMZ server that has access to the data, and that server gets compromised, then the attacker has the data. There is no way around that. In situation number 3, they have only the data that's on
the
server, and hopefully you've kept the minimum amount possible out there.
In situation number 4, they have access to possibly all the data on the
whole database server, assuming there is more than just the stuff the
web app uses. Depending on your firewall structure, they may also
have part of a hole to the inside to play with.
Ryan
"Rick Horne" <rick_horne () hotmail com> on 06/15/98 09:21:36 AM
Please respond to "Rick Horne" <rick_horne () hotmail com>
To: firewall-wizards () nfr net
cc: (bcc: Ryan Russell/SYBASE)
Subject:
Hello,
I'm looking for information on the best way to allow our web server
to
access an internal database. We are beginning an Internet commerce site. I've heard of several techniques: 1) The web server has wrapper/stub cgi programs that call cgi routines on a second external box that has permission to cross the firewall (a.k.a. a cgi reflector) 2) Move the web server inside and proxy it out to the Internet. 3) Export database to external server and allow web server to hit that db. I know that many thousands of companies are doing commerce but I've been unable to find a best practices document or other such info. Thanks in advance for any comments, info, or pointers to where I can find some info. Rick ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 88256625.0023B254; Mon, 15 Jun 1998 23:29:54 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id XAA18742; Mon, 15 Jun 1998 23:27:38 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA02566; Mon, 15 Jun 98 23:27:38 PDT Received: from nfr.net (tower.nfr.net [208.196.145.10]) by inergen.sybase.com (8.8.4/8.8.4) with ESMTP id XAA17370; Mon, 15 Jun 1998 23:29:01 -0700 (PDT) Received: (from lists@localhost) by nfr.net (8.8.8/8.8.8) id VAA00073 for firewall-wizards-outgoing; Mon, 15 Jun 1998 21:08:25 -0500 (CDT) Received: (from fwiz@localhost) by nfr.net (8.8.8/8.8.8) id VAA00063 for firewall-wizards () nfr net; Mon, 15 Jun 1998 21:08:18 -0500 (CDT) Received: from hotmail.com (f33.hotmail.com [207.82.250.44]) by nfr.net (8.8.8/8.8.8) with SMTP id LAA26887 for <firewall-wizards () nfr net>; Mon, 15 Jun 1998 11:17:55 -0500
(CDT)
Received: (qmail 4009 invoked by uid 0); 15 Jun 1998 16:21:37 -0000
Message-Id: <19980615162137.4008.qmail () hotmail com>
Received: from 161.156.101.7 by www.hotmail.com with HTTP;
Mon, 15 Jun 1998 09:21:36 PDT
X-Originating-Ip: [161.156.101.7]
From: "Rick Horne" <rick_horne () hotmail com>
To: firewall-wizards () nfr net
Content-Type: text/plain
Date: Mon, 15 Jun 1998 09:21:36 PDT
Sender: owner-firewall-wizards () nfr net
Precedence: bulk
Reply-To: "Rick Horne" <rick_horne () hotmail com>
Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 88256626.00544A5E;
Wed, 17 Jun 1998 08:20:40 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
id IAA05083 for <Ryan_Russell@tunnel-w>; Wed, 17 Jun 1998 08:18:23
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
id AA10271; Wed, 17 Jun 98 08:18:22 PDT
Received: from gabriel.advsys.com (gabriel.advsys.com [198.49.218.20])
by halon.sybase.com (8.8.4/8.8.4) with ESMTP
id IAA27213 for <ryanr () sybase com>; Wed, 17 Jun 1998 08:18:11 -0700
(PDT)
Received: from mailhost.advsys.com ([129.203.1.25])
by gabriel.advsys.com (8.8.7/8.8.7) with ESMTP id LAA27329
for <ryanr () sybase com>; Wed, 17 Jun 1998 11:18:19 -0400 (EDT)
Received: from morissette.advsys.com (morissette [129.203.1.52])
by mailhost.advsys.com (8.8.6/8.8.6) with ESMTP id LAA02291
for <ryanr () sybase com>; Wed, 17 Jun 1998 11:18:18 -0400 (EDT)
From: Chad Schieken <cschieke () advsys com>
Received: (from cschieke@localhost) by morissette.advsys.com (8.7.5/8.7.3)
id LAA21024 for ryanr () sybase com; Wed, 17 Jun 1998 11:18:16 -0400 (EDT)
Message-Id: <199806171518.LAA21024 () morissette advsys com>
Subject: Re: Database lookups across firewall
To: ryanr () sybase com
Date: Wed, 17 Jun 1998 11:18:15 -0400 (EDT)
In-Reply-To: <88256625.005A8376.00 () gwwest sybase com> from "Ryan Russell"
at Jun 16, 98 09:38:28 am
X-Mailer: ELM [version 2.5 PL0a6]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Current thread:
- Re: Database lookups across firewall Ryan Russell (Jun 16)
- <Possible follow-ups>
- Re: Database lookups across firewall Ryan Russell (Jun 17)