Firewall Wizards mailing list archives
Access to backend systems
From: "Ellis Luk" <e_luk () hotmail com>
Date: Thu, 19 Oct 2000 06:09:25 GMT
What I want to discuss here is not 100% firewall related but it probably concern most of the firewall wizards here.Traditionally (sounds like long time ago), firewall admin will only allow TCP traffic to get through the firewall, and incoming traffic
from Internet(including the web server on its own DMZ) is not allowed. But nowadays, in the name of eComm, more and more business requires their web applications to be able to connect to the back-end systems (usually databases), so that they can present real-time production data to their customers, (or even worse, allow their customers to enter data to the backend systems for processing. As fw admin person, an easy way out of this is say "NO, you cannot do that" to the business. But for the sake of this discussion, I would like to know if there is a balanced/optimal solution to this (ie. balance between doing business and security). Using proxy firewall with database proxy is not a good solution, in my opinion. It seems that there is not much different between a fw database proxy and a plug gateway. Another possible alternatives I aware is using database mirroring /replication to copy data to a dedicated server regularly. Then Secure this dedicated server (possibly put this server on DMZ), and allow the
web server talk to this dedicated DB server only. The drawback of this are: - it is not "real-time" - if the size of database is large, it will take a long time to replicate. I guess my questions are: 1) have you encounter similar situation before?2) how would you use your resource (firewall and/or other servers) to protect it ?
-- Ellis _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.Share information about yourself, create your own public profile at http://profiles.msn.com.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)