Educause Security Discussion mailing list archives
Re: firewall requirements for applications
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Wed, 1 Sep 2010 14:55:22 -0400
Does the application contain somewhere in the code the password to access the database?Lot's of the fat client applications do this, in which case if the bad guys get access to the module, some reverse engineering will give them access to your database server.
Limiting access to the DB will help, but a hop attack (break into a local machine, access from there) may defeat this.If your application requires some type of strong authentication outside of having access to the module, then you could make the case that you have mitigated the risk. Remember to do your security in layers.
Your access to the ERP is most likely protected by strong (or not so strong) authentication. A hack attempt will have to be done against the server and cannot be done offline. This makes a lot more noise that (hopefully) someone will notice.
It's all about the risk :-) Good luck. Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Wednesday, September 01, 2010 1:13 PM -0500 "Shalla, Kevin" <kshalla () UIC EDU> wrote:
We have an application that currently is protected by a firewall. The application (Windows executable) resides on a file share, and data on a database server. Managing the firewall for this application causes quite a bit of grief. I recently asked why we needed to keep it behind the firewall, considering that we've got much more confidential data (our main ERP), which is available through any web browser and java to any computer on the Internet. Is there some valid increased security risk to allowing access to a Windows executable versus a java application?
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- firewall requirements for applications Shalla, Kevin (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)
- Re: firewall requirements for applications Jason Testart (Sep 01)
- Re: firewall requirements for applications Kevin Wilcox (Sep 01)
- Re: firewall requirements for applications Charles Buchholtz (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)