RE: Securing www server w/Oracle back end.

["George J. Jahchan, Eng." <Firewall-Wizards () Compucenter org>]

I think I have found the solution, it is from a French company called
NetSecure and the product is NetSecure Web.

My understanding of the scenario is as follows:

WWW server gets moved to the private zone close to the db server and a
NetSecure internal agent gets installed on it or preferably on another
server (requirements are minimal).

An external NetSecure agent gets installed on a stand-alone server in DMZ.

No holes have to be punched through the firewall from DMZ to private zone.
The internal agent polls the external agent for queued requests every second
(this is the default and can be changed). The internal agent performs http
protocol inspection (customizable) and forwards "sanitized" requests to the
real web server which sends its response back through the internal agent to
the external agent and from there to the client.

SSL decryption could occur in an HSM card installed in the server hosting
the internal NetSecure agent. NetSecure internal agent would inspect the
content of http requests after they have been decrypted in HSM.

Theoretically the setup behaves like an air gap between the client and the
web server and is transparent to both. On paper, this looks like a viable
solution.

Look forward to readers comments.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards