Re: Best practice suggestions for SQL and mapped drive t hrough firewall

[George Capehart <capegeo () opengroup org>]

On Friday 01 March 2002 10:53, <stig.ravdal () digitalpaper com> wrote:
> Hi Arkan and thanks for your reponses.  I did get soem useful info from
> that freetds site you provided.
>
> As far as the mapping using NetBIOS is concerned I am open to any other way
> to accomplish the desired result.  Again, the idea is that the web-server
> can access data as if it was locally attached even though the data resides
> on a different server securely behind the firewall - thus the mapping of a
> shared directory.  Because it's a windows-to-windows setup the natural
> choice is NetBIOS over TCP/IP - but again I am open to any solutions that
> are better, more commonly accepted and more secure.

Much better is to have a cgi or whatever in the DMZ talk through the firewall 
to a servlet that accesses the database.  The servlet on the internal network 
should be configured to listen on a specific port that the internal firewall 
can be configured to allow through.  The servlet should require that the cgi 
authenticate itself, and so on . . .

It is *not* a Good Thing (TM) to allow the Web server to "access the data as 
if it was locally attached."  If the Web server can do that, so can I when I 
root the Web server machine . . .

My 0.02

George Capehart

> Thanks,
>
> Stig
>
> > -----Original Message-----
> > From: ark () eltex ru [mailto:ark () eltex ru]
> > Sent: Friday, March 01, 2002 10:16 AM
> > To: stig.ravdal () digitalpaper com
> > Cc: firewall-wizards () nfr com
> > Subject: Re: [fw-wiz] Best practice suggestions for SQL and
> > mapped drive
> > through firewa l
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > nuqneH,
> >
> > "Ravdal, Stig" <stig.ravdal () digitalpaper com> said :
> > > Hi, I hope that some of you will offer your opinions and
> >
> > experiences on this
> >
> > > question.
> > >
> > > My company is offering an e-commerce solution that uses an
> >
> > MS web server and
> >
> > > MS 2000 SQL database.  In order to keep the data safe it
> >
> > has been decided
> >
> > > that the data and database needs to reside inside a firewall:  The
> > > web-server will be in the DMZ/service network and data and
> >
> > the database are
> >
> > > secured behind the firewall.  Both servers will be Windows
> >
> > 2000 servers.
> >
> > > The big question is how do we best implement this solution
> >
> > so that it works
> >
> > > yet is acceptably safe.
> > > We do not know what the firewall the customer may use so if
> >
> > at all possible
> >
> > > a "universal" and "best practice" solution is what we are
> >
> > looking for.
> >
> > > The proposed solution is to map a drive through the
> >
> > firewall and from what I
> >
> > > can understand it would suffice to open up TCP 139 on the
> >
> > firewall to do
> >
> > > this (using NetBIOS over TCP/IP and ignoring UDP 137/138).
> >
> > Yeah it's not
> >
> > > the most secure and I would appreciate any and all comments
> >
> > as to why one
> >
> > > might NOT want to do this.
> >
> > Just do not (general rule that applies to netbios shares).
> > Why do you want to do that?
> >
> > > Connection to the Database would be using ODBC over TCP
> >
> > port 1433.  I'm not
> >
> > > sure if we can make the client ports static but I think so
> >
> > thus the firewall
> >
> > > would be able to allow incoming connections from
> >
> > "web-server" port <static>
> >
> > > to "database" port 1433 (or we might even suggest using a
> >
> > less well known
> >
> > > port).  I'm not sure what the outbound session may look
> >
> > like but if the
> >
> > > firewall is stateful (and maybe with inspection) that may
> >
> > be less of a
> >
> > > concern.
> >
> > MS SQL runs TDS on 1433. it is, basically, a generic packet
> > exchange over
> > tcp. see www.freetds.org if you want to know what happens inside.
> >
> > It is (quite) firewall-friendly, though sometimes it expects
> > weird things to
> > be like aligning ip and tds packet boundaries. It does not
> > affect functionality
> > but that may affect performance.
> >
> > There are several proxies for tds.
> >
> > > I have also suggested that we look into other ways
> >
> > including Secure FTP or
> >
> > > FTP through SSH, but this may or may not be that easy to accomplish
> > > depending on the customer IT security team and what they
> >
> > are both willing
> >
> > > and comfortable doing.
> >
> > You may run tds over ssl, ssh, ipsec and whatever else you
> > want that does tcp
> > tunneling.
> >
> >                                      _     _  _  _  _      _  _
> >  {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   /
> > _||_|   |_ |_ |_
> >  (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|
> >
> >  | o |_||_||_|
> >
> >  [||] [||] [||]            Do i believe in Bible?
> > Hell,man,i've seen one!
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.1i
> >
> > iQCVAwUBPH+bGKH/mIJW9LeBAQHZHgQAiH0tHYJImw/JktvlpBjvPGJLu9htPUBt
> > 889FL3ZeJsWh/hwiLFj9E1SsssSFOlEQostcUPu2cVDELj4GLy6+3TPHNmETnL51
> > ZbMrBhHxkBm6WVKeHPX8nOI4SHTLqEYVuQ+nsfW614As2kI03Ghs+zauwy9APqlH
> > yirJ1wte3aU=
> > =OxnR
> > -----END PGP SIGNATURE-----
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
George W. Capehart

Phone:   +1 704 678 1660
Fax:     +1 704 853 2624

"Sometimes you're the windshield, sometimes you're the bug."
 -- Mark Knofler

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards