Firewall Wizards mailing list archives
Re: Access to backend systems
From: Jeffery.Gieser () minnesotamutual com
Date: Thu, 19 Oct 2000 16:32:48 -0500
Ellis, #But nowadays, in the name of eComm, more and more business requires #their web applications to be able to connect to the back-end systems #(usually databases), so that they can present real-time production data #to their customers, (or even worse, allow their customers to enter data #to the backend systems for processing. #As fw admin person, an easy way out of this is say "NO, you cannot do #that" to the business. If you want to keep job with this company the answer NO very rarely flies. Money is the business driver. If doing something makes money than it will be done. Our job is to minimize risk without losing profit. #Using proxy firewall with database proxy is not a good solution, in my #opinion. It seems that there is not much different between a fw #database proxy and a plug gateway. The benefit in the application layer proxy for, say, Oracle is that it isn't just opened up to all TCP traffic but only to Oracle traffic using that TCP port. #1) have you encounter similar situation before? I think everyone that runs a firewall at a medium sized company or larger has this problem. #2) how would you use your resource (firewall and/or other servers) to #protect it ? These kind of issues can be very site specific. I think that a lot of companies have a firewall with a dmz, place the web server in the dmz, and place the database on the internal network. They then allow http/https traffic from the Internet to the dmz and allow Oracle SQLNet traffic from the dmz to the internal network. This may or may not work depending on what kind of risks you are willing to accept and what kind of money you are willing to invest in security. You could also place both the web server and the database in two different dmzs as well. Or you could do something similar to the idea you presented. Regards, Jeffery Gieser _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)