Security Basics mailing list archives
Re: DMZ Web Servers
From: David Glosser <david_glosser () yahoo com>
Date: Mon, 8 Sep 2008 17:48:42 -0700 (PDT)
I apologize if I did sound insulting. It was not my intention. I did forgot about the word "basics". I immediately thought of cross-site scripting, sql injection and the like, and imagined yet another web site getting blasted. Again, apologies. ----- Original Message ----
From: Adriel Desautels <adriel () netragard com> To: David Glosser <david_glosser () yahoo com> Cc: "Lafosse, Ricardo" <rlafosse () sfwmd gov>; security-basics () securityfocus com Sent: Monday, September 8, 2008 12:41:40 PM Subject: Re: DMZ Web Servers Lafosse, Suppose that your DMZ is security zone 1, your LAN is zone 2 and the internet is zone 0. By doing what you propose you are literally allowing zone 0 to access zone 2. This reduces the security of zone 2 to the security of zone 0 with respect to trust. Now someone from zone 0 can gain access to zone 2 via SQL Injection, etc, in theory. Consider creating a database to live in zone 1 and keeping your existing database alive in zone 2 and isolated. Does that make sense? Btw, Dave, you did sound insulting. This is security basics not 3r33t security ninjas. ;] Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn David Glosser wrote:The fact that you are asking this question means you aren't qualified to do ityourself.I'm not being insulting or condescending, only realistic. With sql injection, Cross-Site Scripting, and other issues, I would hire anexpert to properly design and manage the infrastucture 24x7 for you. You don't want your site hacked or your back-end database compromised at 3:00 am one weekend.Make sure the design includes two layers of firewalls, regular vulnerabilityscanning/penetration testing, IDS/IPS, and if possible Web Application firewall.----- Original Message ----From: "Lafosse, Ricardo" To: security-basics () securityfocus com Sent: Friday, September 5, 2008 6:29:24 AM Subject: DMZ Web Servers Hello All, I would like to know any suggestions or ideas how some infrastructures currently setup their Web Servers in the DMZ and connect back to an Oracle or MSSQL backend on the inside. I was thinking of just allowing specific IPs and MACs, but any other help would be greatly appreciated. Thanks! Rico
Current thread:
- Re: Transmitting Sensitive Information between Servers, (continued)
- Re: Transmitting Sensitive Information between Servers Nathaniel Hall (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- Re: Transmitting Sensitive Information between Servers Ansgar Wiechers (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chris Benedict (Sep 08)
- Re: Transmitting Sensitive Information between Servers Chad Perrin (Sep 10)
- RE: Transmitting Sensitive Information between Servers David Gillett (Sep 11)
- RE: DMZ Web Servers Dan Lynch (Sep 08)
- TrueCrypt Basiru Ndow (Sep 10)
- Re: TrueCrypt Marc-André Laverdière (Sep 11)