Firewall Wizards mailing list archives

Access to backend systems

From: "Ellis Luk" <e_luk () hotmail com>
Date: Thu, 19 Oct 2000 06:09:25 GMT


What I want to discuss here is not 100% firewall related but it probably
concern most of the firewall wizards here.

Traditionally (sounds like long time ago), firewall admin will only allowTCP traffic to get through the firewall, and incoming traffic

from Internet(including the web server on its own DMZ)  is not allowed.

But nowadays, in the name of eComm, more and more business requires
their web applications to be able to connect to the back-end systems
(usually databases), so that they can present real-time production data
to their customers, (or even worse, allow their customers to enter data
to the backend systems for processing.

As fw admin person, an easy way out of this is say "NO, you cannot do
that" to the business.
But for the sake of this discussion,  I would like to know if there is a
balanced/optimal solution to this (ie. balance between doing business
and security).

Using proxy firewall with database proxy is not a good solution, in my
opinion. It seems that there is not much different between a fw
database proxy and a plug gateway.

Another possible alternatives I aware is using database mirroring /

replication to copy data to a dedicated server regularly. Then Secure thisdedicated server (possibly put this server on DMZ), and allow the

web server talk to this dedicated DB server only.
The drawback of this are:
       - it is not "real-time"
       - if the size of database is large, it will take a long time to
         replicate.

I guess my questions are:
1) have you encounter similar situation before?

2) how would you use your resource (firewall and/or other servers) toprotect it ?


--
Ellis

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile athttp://profiles.msn.com.



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Access to backend systems Ellis Luk (Oct 19)
- Re: Access to backend systems Stephen P. Berry (Oct 20)
- Re: Access to backend systems George Capehart (Oct 20)
- Re: Access to backend systems horio shoichi (Oct 24)
- <Possible follow-ups>
- Re: Access to backend systems Jeffery . Gieser (Oct 20)