Re: ODBC

[Bennett Todd <bet () rahul net>]

1998-05-06-16:07:35 Ikoedem Moses:
>  I want to pass ODBC  traffic from a webserver in the DMZ to  a database
> server in the internal network. What is the right way to do it and what
> ports does it uses?

First answer would be easy: _don't_ do it. ODBC is an immature protocol;
security isn't implemented by any vendor I know of. They don't have
strong authentication, nor encryption. The protocol being passed is
open-ended. Don't let it through your firewall. Replicate such data as
the web presence needs out onto a server in the DMZ, perhaps reachable
only by the web server. Don't let that traffic in.

If for some reason that just can't be done, then your next best bet
would be to write yourself a custom application-level proxy: write an
ODBC client/server to run on the firewall, write it bulletproof (as if
you could find bulletproof ODBC development libraries...) and riddle it
with serious sanity checking of the traffic stream.

And if _that_ can't be done, and you absolutely have to let the traffic
through, get your objections acknowleged in writing --- you want it
documented in black and white that someone else is to blame when this
hole is torn open. Then hang a sniffer on the wire while doing a typical
dialogue, and see what packets are required. I tried to set up packet
filtering rules to allow something that claimed to be ODBC traffic
between java applets, downloaded to client web servers, and the web
server. Turns out I had to open a rendezvous port, plus a whole range of
high port numbers. A couple of months later I was sure glad I'd
completely removed portmapper from that box, when it was revealed that
portmapper was secretly listening to some high-numbered port.

-Bennett