[thelist] Firewalls vs. Web Databases

Glenn Hunt ghunt at hds.ca
Thu Sep 20 14:48:32 CDT 2001


What you have said is true, but we agree to a point - all servers should
be behind firewalls. Your setup works great, and I agree that having a
"mirror" prevents corruption of internal data, it does prevent you from
using a web application from updating anything. You are restricted to
read-only.

Also, the goal of a firewall is not just to provide an IP-level barrier
between machines, but to also control and monitor the data passing
through it. Many firewalls have the capability to "filter" out packets
that are corrupted, etc. (which forms the basis for many port 80
attacks). Also, using the same DB server for both web content and
sensitive internal data isn't the wisest thing to either.

If your application *is* only read-only, then you can set up a read-only
data connection between the DB server and the web server, again
preventing corruption of that data from the web server.

Glenn Hunt
ghunt at hds.ca

-----Original Message-----
From: thelist-admin at lists.evolt.org
[mailto:thelist-admin at lists.evolt.org] On Behalf Of
Ron_Senykoff at BEAEROSPACE.COM
Sent: Thursday, September 20, 2001 2:33 PM
To: thelist at lists.evolt.org
Subject: RE: [thelist] Firewalls vs. Web Databases



<snip>
The best for security is definitely everything behind the firewall
</snip>

I disagree.  It is definitely better... but in this case I would suggest
2 firewalls.  One for the DMZ and one protecting the internal network.
If everything is behind one firewall, then you have to leave ports open.
Leaving ports open on the firewall leaves ways for an attacker to come
in. We currently run 2 webservers, one inside the firewall and one
outside (in the DMZ).  We have one-way replication set up so that the
internal server pushes changes to external.  Even if an attacker got
into the external box and screwed it up, we still have our data and can
rebuild with minimal effort. Having a server 'internal' with port 80
open... then a hacker attacks it on port 80.  The way applications are
becoming more and more 'web-enabled' the more things are left open by
port 80.  I've seen many companies that have an intranet that is
accessible from outside -- via port 80.  They think "because it's behind
a firewall its safe," yet they left the door open.  I was poking around
with a few Notes vulnerabilities and found that I was looking at HR
information, internal job postings, help-desk applications...

Ron Senykoff



---------------------------------------
For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to: http://lists.evolt.org
Workers of the Web, evolt ! 







More information about the thelist mailing list