Firewall Wizards mailing list archives
Re: web to db access [was RE: ]
From: Kjell Wooding <kwooding () codetalker com>
Date: Fri, 26 Jun 1998 14:22:02 -0600
if the web server is in a dmz (3 legged firewall) then you could leave the rules base as it is on the firewall and run a 2nd nic off the web server to the internal lan (or direct to the database server via x-over cable into 2nd nic on that db server)
Bypassing the Firewall is a _BAD_ idea. Even if your protocol *IS* non-routable, compromising the web server means compromise of the database server. (a local user can use the netbeui protocol without the need to route.) Adding a second nic is just begging for a major firewall bypass. I would still tend to favor * Replicating a snapshot of the data out to an external (DMZ) host (in situations with little updating), or * A single (paranoid) Firewall rule to connect your webserver to the database server. (SQLNet, for example). With reliance on database user definitions and views to ensure that the Web server has access only to the data it needs. (ie - the view can write a transaction, but not read it). Internal processess with different user levels would be used for the processing. * On some occasions, I've seen Stored Procedures & User Restrictions used successfully for this purpose. (data from web server goes to stored proc. Stored proc is the only way the database can be accessed. No read, no write.) -kj -- Kjell Wooding <kwooding () codetalker com> Codetalker Communications, Inc. For the latest Infosec News, see http://www.codetalker.com/
Current thread:
- web to db access [was RE: ] Mark Evans (DSLWLQ) (Jun 25)
- <Possible follow-ups>
- Re: web to db access [was RE: ] Kjell Wooding (Jun 26)
- web to db access [was RE: ] Mark Evans (DSLWLQ) (Jun 28)
- RE: web to db access [was RE: ] Kjell Wooding (Jun 29)