Firewall Wizards mailing list archives

Re: ODBC

From: Technical Incursion Countermeasures <lists () ticm com>
Date: Sun, 10 May 1998 11:48:23

At 05:06 AM 5/8/98 -0700, you wrote:

1998-05-06-16:07:35 Ikoedem Moses:

 I want to pass ODBC  traffic from a webserver in the DMZ to  a database
server in the internal network. What is the right way to do it and what
ports does it uses?


First answer would be easy: _don't_ do it. ODBC is an immature protocol;
security isn't implemented by any vendor I know of. They don't have
strong authentication, nor encryption. The protocol being passed is
open-ended. Don't let it through your firewall. Replicate such data as
the web presence needs out onto a server in the DMZ, perhaps reachable
only by the web server. Don't let that traffic in.


I assume that you are using something like MS SQL Server - you are not
using Access are you? (I hope not). If you are using SQl Server then you
could post your queries to it via SMTP. It takes a little bit of tweaking
to get it to work right (What MS Product doesn't :{) but it means that you
are not opening up anything else in your firewall...

Cheers,

Bret
Technical Incursion Countermeasures 
consulting () bwa net                      http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security
http://www.ticm.com/about/insider.html

Current thread:

ODBC Moses, Ikoedem (May 07)
- Re: ODBC Bennett Todd (May 09)
  - Re: ODBC Technical Incursion Countermeasures (May 10)
  - Re: ODBC tqbf (May 10)
    - Re: ODBC Rick Murphy (May 11)
    - Re: ODBC Bennett Todd (May 11)
    - Re: ODBC Rudolf Schreiner (May 13)
- <Possible follow-ups>
- RE: ODBC Stout, William (May 13)