Firewall Wizards mailing list archives
Re: Web server inside the firewall
From: Bennett Todd <bet () mordor net>
Date: Mon, 7 Dec 1998 18:59:20 -0500
I liked almost everything you wrote except: 1998-12-07-11:02:17 Kevin:
[...] A copy of the SQL data will be stuck on the outside and will be updated via FTP from the internal DB server when the need arises. [...]
The machine that receives the data in the DMZ will be better-secured if you were to replace FTP with ssh; ftp is a really distressing protocol to allow in a firewall environment. You can configure ftp send out to be safe, if the machine in question doesn't attempt to do ftp with the outside world; but it's tricky to get right. I'd really say using ssh is safer. And it's liable to be more convenient, too; you can rsync over ssh, or use an ssh in a pipe, more conveniently than you can shove data out via ftp. One hack I love is letting the local content admins hack on an inside copy, and having them get a separate person, not authorized to update that content, to push it out; that person runs a script that sucks off a copy of the content from the (version-controlled) internal repository, then reviews that private copy, and only after approving it kicks off the command to rsync the DMZ site back up to date, over an ssh connection only they are authorized to establish. Make this "approver" be the same person (or short list of people) who are authorized to issue press releases. For SQL data, you can either rsync a static dump occasionally, or if you want better speed you can hook up a persistant ssh pipe, and shove the transaction stream down it to do live DB replication. Oh, besides good crypto authentication and content security, ssh also does nice compression:-). -Bennett
Current thread:
- Re: Web server inside the firewall, (continued)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)
- Re: Web server inside the firewall Arian Hormozi (Dec 03)
- Re: Web server inside the firewall Steve George (Dec 02)
- Re: Web server inside the firewall Bennett Todd (Dec 03)
- Re: Web server inside the firewall Bob Acosta (Dec 02)
- RE: Web server inside the firewall Shivdasani, Meenoo (Dec 03)
- Re: Web server inside the firewall James Conley (Dec 03)
- RE: Web server inside the firewall Readwin, Neil (Dec 04)
- RE: Web server inside the firewall Safier, Adam (GEIS) (Dec 04)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Bennett Todd (Dec 08)
- RE: Web server inside the firewall tyrrell (Dec 07)
- Re: Web server inside the firewall Perry E. Metzger (Dec 02)