Firewall Wizards mailing list archives
RE: Sources for Extranet Designs?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 23 Feb 2004 16:56:59 -0500
Daniel Linder wrote:
Is there such thing as a SQL front end proxy? I would think with more security devices employing "layer 8" (yeech, marketing speak) filtering a SQL security proxy that could be programmed with limits such as databases/tables/columns, number of rows returned, etc this might be a good first line of defense...
Yeah, it's called "Oracle" ;) The principle behind proxies* is that they: a) Are minimized (in terms of implementation) b) Rigorously check for and exclude errors in their input c) Implement a subset of an application protocol -or- Implement an application protocol with the ability to control operations to a subset of the protocol's ops d) Does so only after a security analyst has spent actual brain-cycles thinking about the implications of allowing that operation through the proxy e) Log transactions based on operations f) Ideally are designed to run in a restricted environment if the underlying operating system permits such a thing For example, the very first firewall toolkit SMTP proxy understood HELO MSG RCPT DATA QUIT and *only* in that *exact* *order*. Downhill. With a tailwind. Other operations were added later but only after considerable thought and discussion. So, for a database, the thing you'd want to do (ahem) is to implement an API that allowed just the operations that you wanted to allow, and no others. This, of course, is extremely difficult if you're dealing with an app that has been mis-designed along the premise that all SQL operations would be available to the end user. Of course SQL operations are very complex things in and of themselves, etc, etc. The theory is that by reducing the set of operations to the minimum that is necessary, you've reduced the likelihood that a bad guy can introduce an abnormal sequence of operations or put the server into an unusual state (for example the old guest FTP login disconnect login as root attack) - when your application's potential number of states gets too large it's, by definition, an interactive shell. ;) The same logic applies at a network level. Once you let too many streams of data through, your firewall is, by definition, a hub. mjr. (* Lest we debate the definition of "application proxy" here, I'd like to mention that I coined the term so I probably have no idea how the marketing weenies use the term these days.) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Behm, Jeffrey L. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Bob Alberti (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Daniel Linder (Feb 23)
- RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Re: Sources for Extranet Designs? Dragos Ruiu (Feb 23)
- Re: Sources for Extranet Designs? George Capehart (Feb 24)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Plumbers... was Re: Sources for Extranet Designs? Gary Flynn (Feb 24)