Firewall Wizards mailing list archives

Re: Access to backend systems

From: horio shoichi <horio () acm org>
Date: Mon, 23 Oct 2000 23:31:00 +0900

Ellis Luk wrote:

But nowadays, in the name of eComm, more and more business requires
their web applications to be able to connect to the back-end systems
(usually databases), so that they can present real-time production data
to their customers, (or even worse, allow their customers to enter data
to the backend systems for processing.

2) how would you use your resource (firewall and/or other servers) to
protect it ?


Let's assume FE and DB represent two types of hosts that the former is exposed to
the world and the latter is directly connected to the former but not intended to
be seen from outside. Further assume the latter is closely tied to the hosts
confined within internal lan.

o Make both FE and DB two legged. They must not forward ip packets. Install ipfilter
  (or the akin) on both.

o FE's one leg is connected by external world. The other leg (L0) is only connected
  only to/by DB, for only ports necessary for DB functions. L0 is the only
  leg that may behave actively.

o DB's one leg (L1) provides DB function but nothing else. It is connected to/by only
  FE on only ports neccessary for the fuction.

  The other legs is directly anchored into internal lan. It is used for DB function
  and maintenance.

  If DB function includes packet/protocol (forward/tunnel/proxy/etc)ing, they must
  be disabled (it's no use disabling them on FE). No functions that perform 'on
  behalf of' someone else, even from internal lan, must remain.

o Build network island that connects only L0 and L1. Finally, fasten filtering rules
  so that no rewriting them will occur.

So you have built a 'non-routable router' between dmz and internal lan that have DB
capability.

While DB may directly confront hijacked FE, risks for internal lan exist only when
the internal hosts are seen as DB machines, and the "router" delegated the DB function
to internal lan.


horio shoichi

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)