RE: Sources for Extranet Designs?

["Marcus J. Ranum" <mjr () ranum com>]

Daniel Linder wrote:
> Is there such thing as a SQL front end proxy?  I would think with more
> security devices employing "layer 8" (yeech, marketing speak) filtering a
> SQL security proxy that could be programmed with limits such as
> databases/tables/columns, number of rows returned, etc this might be a
> good first line of defense...

Yeah, it's called "Oracle" ;)

The principle behind proxies* is that they:
        a) Are minimized (in terms of implementation)
        b) Rigorously check for and exclude errors in their input
        c) Implement a subset of an application protocol
        -or-
        Implement an application protocol with the ability to control
                operations to a subset of the protocol's ops
        d) Does so only after a security analyst has spent actual
                brain-cycles thinking about the implications of
                allowing that operation through the proxy
        e) Log transactions based on operations
        f) Ideally are designed to run in a restricted environment
                if the underlying operating system permits such a
                thing

For example, the very first firewall toolkit SMTP proxy understood
HELO
MSG
RCPT
DATA
QUIT

and *only* in that *exact* *order*. Downhill. With a tailwind. Other operations
were added later but only after considerable thought and discussion.

So, for a database, the thing you'd want to do (ahem) is to implement an
API that allowed just the operations that you wanted to allow, and no
others. This, of course, is extremely difficult if you're dealing with an
app that has been mis-designed along the premise that all SQL operations
would be available to the end user. Of course SQL operations are very
complex things in and of themselves, etc, etc.

The theory is that by reducing the set of operations to the minimum
that is necessary, you've reduced the likelihood that a bad guy can
introduce an abnormal sequence of operations or put the server into
an unusual state (for example the old guest FTP login disconnect
login as root attack) - when your application's potential number of
states gets too large it's, by definition, an interactive shell. ;)  The
same logic applies at a network level. Once you let too many
streams of data through, your firewall is, by definition, a hub.

mjr.
(* Lest we debate the definition of "application proxy" here, I'd like
to mention that I coined the term so I probably have no idea how
the marketing weenies use the term these days.)  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards