RE: network architecture related to db security - needed

[avishver <yram () netvision net il>]

Hello,

  Pardon my ignorance, I did not fully understand solution no. 3:
   What does "inside a firewall" mean?

  Do you mean a network topology like:

  internet --> firewall --> reverse proxy --> application --> db 

Regards,
Avi
-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Tuesday, November 29, 2005 1:34 AM
To: Bob Ababurko
Cc: security-basics () securityfocus com
Subject: Re: network architecture related to db security - needed

solution 1)
If your DB is relatively small, consider hosting on the same box as
the application. and allow only localhost connections to the DB. make
sure that loopback interface is being used to talk to the DB. the
traffic should not be going over any eth interfaces.

solution 2)
if you want to host your DB on seperate box, make sure traffic is
tunneled through SSH or SSL.

solution 3)
Or you can want to host both the application and the DB inside a
firewall. and use Reverse SSL proxy to allow usert to use the
application. This is the safest option.

solution 4)
A graphical firewall/proxy. Again both the application server and DB
server are hosted inside a firewall, and the user connects using a
grafical firewall/proxy e.g. Citrix.


On 11/27/05, Bob Ababurko <bob () webstakez com> wrote:
> I am trying to figure out the best possible implementation to keep a db
> safe that is going to used as a backend for publicly accessible web
> services (Internet).  What are the better or best ways to protect the db
> from being hacked OR what are the ways that the web machines will access
> them?

In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
"If you stop telling lies about me, I will stop telling the truth about you"