Educause Security Discussion mailing list archives

Re: firewall requirements for applications

From: Jason Testart <jatestart () UWATERLOO CA>
Date: Wed, 1 Sep 2010 15:51:42 -0400

Another issue is user accountability.  Assuming the password is embedded
in the exe, what logging/controls do you have on *who* is accessing the
data?  The share at least (hopefully) provides some measure of
user-level access control where the exe file itself likely does not (and
if it does, could be more easily defeated).  You need to really
understand what controls are in place on the database itself, because it
is indeed all about the risk.



On 9/1/2010 2:55 PM, Joel Rosenblatt wrote:

Does the application contain somewhere in the code the password to access the database?
Lot's of the fat client applications do this, in which case if the bad guys get access to the module, some reverse engineering will give them access to yourdatabase server.
Limiting access to the DB will help, but a hop attack (break into a local machine, access from there) may defeat this.
If your application requires some type of strong authentication outside of having access to the module, then you could make the case that you have mitigatedthe risk. Remember to do your security in layers.
Your access to the ERP is most likely protected by strong (or not so strong) authentication. A hack attempt will have to be done against the server and cannotbe done offline. This makes a lot more noise that (hopefully) someone will notice.
It's all about the risk :-)

Good luck.

Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Wednesday, September 01, 2010 1:13 PM -0500 "Shalla, Kevin" <kshalla () UIC EDU> wrote:
We have an application that currently is protected by a firewall.  The
application (Windows executable) resides on a file share, and data on a
database server.  Managing the firewall for this application causes quite
a bit of grief.  I recently asked why we needed to keep it behind the
firewall, considering that we've got much more confidential data (our main
ERP), which is available through any web browser and java to any computer
on the Internet.  Is there some valid increased security risk to allowing
access to a Windows executable versus a java application?
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel



--
Jason A. Testart, BMath               | Voice: +1-519-888-4567 x38393
Manager, IT Security                  | Fax: +1-519-884-4398
Information Systems and Technology    | http://ist.uwaterloo.ca/security
University of Waterloo, Waterloo, Ontario  N2L 3G1 CANADA

Current thread:

firewall requirements for applications Shalla, Kevin (Sep 01)
- Re: firewall requirements for applications Joel Rosenblatt (Sep 01)
  - Re: firewall requirements for applications Jason Testart (Sep 01)
- Re: firewall requirements for applications Kevin Wilcox (Sep 01)
- Re: firewall requirements for applications Charles Buchholtz (Sep 01)