Firewall Wizards mailing list archives
Re: Access to backend systems
From: horio shoichi <horio () acm org>
Date: Mon, 23 Oct 2000 23:31:00 +0900
Ellis Luk wrote:
But nowadays, in the name of eComm, more and more business requires their web applications to be able to connect to the back-end systems (usually databases), so that they can present real-time production data to their customers, (or even worse, allow their customers to enter data to the backend systems for processing.
2) how would you use your resource (firewall and/or other servers) to protect it ?
Let's assume FE and DB represent two types of hosts that the former is exposed to the world and the latter is directly connected to the former but not intended to be seen from outside. Further assume the latter is closely tied to the hosts confined within internal lan. o Make both FE and DB two legged. They must not forward ip packets. Install ipfilter (or the akin) on both. o FE's one leg is connected by external world. The other leg (L0) is only connected only to/by DB, for only ports necessary for DB functions. L0 is the only leg that may behave actively. o DB's one leg (L1) provides DB function but nothing else. It is connected to/by only FE on only ports neccessary for the fuction. The other legs is directly anchored into internal lan. It is used for DB function and maintenance. If DB function includes packet/protocol (forward/tunnel/proxy/etc)ing, they must be disabled (it's no use disabling them on FE). No functions that perform 'on behalf of' someone else, even from internal lan, must remain. o Build network island that connects only L0 and L1. Finally, fasten filtering rules so that no rewriting them will occur. So you have built a 'non-routable router' between dmz and internal lan that have DB capability. While DB may directly confront hijacked FE, risks for internal lan exist only when the internal hosts are seen as DB machines, and the "router" delegated the DB function to internal lan. horio shoichi _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)