Protecting Web Access to a FoxPro Database

["Bruce B. Platt" <bbp () comport com>]

Perhaps your combined experience can suggest some alternatives to me.

I had a rather involved discussion today with a company who does
web-hosting and site design.  They 
have designed a web-site for a company whose major application is built
around a FoxPro database, which I 
believe is not an SQL like transaction oriented database, but rather an
evolution of some of the early PC databases.  I am not a database expert,
so please bear with me on this part.

The problem these folks confronted me with is that they would like to allow
users access from the internet via browser to the database.  According to
them, the way FoxPro works, it must run on the same machine as the
web-server software.  Since they are experienced with FoxPro, I have no
evidence to dispute this yet, until I do some research.  Their statement is
that a query and a write to a FoxPro database requires reading and writing
database blocks from the FoxPro engine itself, not a separate transaction
engine.

Here, writes to the database occur very frequently from LAN connected
users, while reads can occur from both LAN users and Internet browsers.
Replication of the database from a LAN-only version of the database to an
Internet acecssible version seems inappropriate due to the frequency of
writes and the inability to ensure that a replication has taken place
without a completed write.

If, however, they are correct, the problem of securing the database against
"rogue" or "hostile" browsing activity is somewhat like an earlier
discussion in this list which dealt with how does one use a firewall to
protect the integrity of the database.  

The consensus, in which I participated was that securing a web-server
behind a firewall which was proxying port 80 traffic was not a great
solution since the web-server could still be attached through it's http
daemon.

In this scenario, where the http daemon is on the same machine as the
database, the risk seems even greater.

I'd appreciates comments on any of the above, as well as the following ways
to secure this site.

1. Use user-name and password basic authentication to allow access.

2. Use port 443 connections so SSL and encryption is enabled while the
user-name and password are in transit.

3. Use the firewall between the internet and the webserver proxying port 80
and 443 traffic to the web-server to protect the web-server against attacks
to other ports.

4. Attempt to have the application migrated to an SQL database so db
requests can be proxied.  (unlikley that they will do this).

Comments, please,

Thanks, regards, and Holiday wishes.

Bruce

+--------------------------------------+
Bruce B. Platt, Ph.D.
Comport Consulting Corporation
78 Orchard Street, Ramsey, NJ 07446
Phone: 201-236-0505  Fax: 201-236-1335
bbp () comport com, bruce@ bruce.platt@