Re: web to db access [was RE: ]

[Kjell Wooding <kwooding () codetalker com>]

> if the web server is in a dmz (3 legged firewall) then
> you could leave the rules base as it is on the firewall and
> run a 2nd nic off the web server to the internal lan (or 
> direct to the database server via x-over cable into 2nd nic
> on that db server)

Bypassing the Firewall is a _BAD_ idea.

Even if your protocol *IS* non-routable, compromising the web server means
compromise of
the database server. (a local user can use the netbeui protocol without the
need to route.) Adding a second nic is just begging for a major firewall
bypass.

I would still tend to favor
* Replicating a snapshot of the data out to an external (DMZ) host (in
situations with little updating), or
* A single (paranoid) Firewall rule to connect your webserver to the
database server. (SQLNet, for example). With reliance on database user
definitions and views to ensure that the Web server
has access only to the data it needs. (ie - the view can write a
transaction, but not read it).
Internal processess with different user levels would be used for the
processing.
* On some occasions, I've seen Stored Procedures & User Restrictions used
successfully for this purpose. (data from web server goes to stored proc.
Stored proc is the only way the database can
be accessed. No read, no write.)

-kj



--
Kjell Wooding <kwooding () codetalker com>
Codetalker Communications, Inc.

For the latest Infosec News, see http://www.codetalker.com/