Firewall Wizards mailing list archives

Re: ODBC

From: Bennett Todd <bet () rahul net>
Date: Mon, 11 May 1998 05:48:13 -0700

1998-05-10-18:23:33 Thomas Ptacek:

Huh? I am very weak on database stuff, but I was of the impression that
ODBC *wasn't* an on-the-wire protocol, but rather a calling convention for
database libraries so that arbitrary drivers could interoperate with
arbitrary database-enabled programs.


Not as weak as I am, evidently.

You're right as can be.

I'd tangled with something very like the question that Ikoedem Moses
seemed to be requesting:

I want to pass ODBC traffic from a webserver in the DMZ to a database
server in the internal network. What is the right way to do it and what
ports does it uses?


The over-the-wire protocol our developers were proposing to use was
related to CORBA (I don't know for sure if CORBA actually specifies the
network protocol, of if it's just another API spec). The datbase backend
was ODBC<==>CORBA. I stated that (a) database implementations are huge,
complex, and never designed with security as a goal; (b) there were no
security provisions available in any implementation we could find of the
proposed protocol; and (c) we could find no proxy that gave fine-grained
control of the requests it would be willing to forward. Based on these
limitations we ended up replicating the data out onto a sacrificial
machine in the DMZ, sanitizing it as best we could, and protecting that
machine the best we could with the screening router.

-Bennett

Current thread:

ODBC Moses, Ikoedem (May 07)
- Re: ODBC Bennett Todd (May 09)
  - Re: ODBC Technical Incursion Countermeasures (May 10)
  - Re: ODBC tqbf (May 10)
    - Re: ODBC Rick Murphy (May 11)
    - Re: ODBC Bennett Todd (May 11)
    - Re: ODBC Rudolf Schreiner (May 13)
- <Possible follow-ups>
- RE: ODBC Stout, William (May 13)