Firewall Wizards mailing list archives

Re: Access to backend systems

From: Jeffery.Gieser () minnesotamutual com
Date: Thu, 19 Oct 2000 16:32:48 -0500


Ellis,

#But nowadays, in the name of eComm, more and more business requires
#their web applications to be able to connect to the back-end systems
#(usually databases), so that they can present real-time production data
#to their customers, (or even worse, allow their customers to enter data
#to the backend systems for processing.

#As fw admin person, an easy way out of this is say "NO, you cannot do
#that" to the business.

If you want to keep job with this company the answer NO very rarely flies.
Money is the business driver. If doing something makes money than it will
be done.  Our job is to minimize risk without losing profit.

#Using proxy firewall with database proxy is not a good solution, in my
#opinion. It seems that there is not much different between a fw
#database proxy and a plug gateway.

The benefit in the application layer proxy for, say, Oracle is that it
isn't just opened up to all TCP traffic but only to Oracle traffic using
that TCP port.

#1) have you encounter similar situation before?

I think everyone that runs a firewall at a medium sized company or larger
has this problem.

#2) how would you use your resource (firewall and/or other servers) to
#protect it ?

These kind of issues can be very site specific.  I think that a lot of
companies have a firewall with a dmz, place the web server in the dmz, and
place the database on the internal network.  They then allow http/https
traffic from the Internet to the dmz and allow Oracle SQLNet traffic from
the dmz to the internal network.  This may or may not work depending on
what kind of risks you are willing to accept and what kind of money you are
willing to invest in security.  You could also place both the web server
and the database in two different dmzs as well.  Or you could do something
similar to the idea you presented.

Regards,
Jeffery Gieser


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)