Firewall Wizards mailing list archives
Re: Securing www server w/Oracle back end.
From: stefmit <stefmit () comcast net>
Date: Sat, 22 Mar 2003 17:42:29 -0600
The way I did it was with a third layer consisting of an Apache with proxy enabled, setup in the DMZ - passing back the requests into the internal web server, which - also internally - would pass on requests to the database server. The Linux is setup with the latest and greatest patches ... and prone to be taken out if any intrusion is detected, without any impact to the internal users (who would still access the "real" web server). One thing I was able to address with this was SQL injection (see NGGSoftware's papers about it) - which would fail because of the redirection (i.e. even if new SQL injection flaws would be discovered in Oracle, they would still fail, as the "real" web server is "hidden" ... Another obvious thing addressed was that the "real" web server would be inaccessible from outside, of course (the only system allowed to come "through" the firewall into its SSL-enabled services being the Linux/Apache proxy). HTH, Stef On Tuesday 18 March 2003 10:36 am, m p wrote:
--- Georges Jahchan <georges.jahchan () balamand edu lb> schrieb:I have been assigned the task of planning the security setup for a (to be deployed) online system consisting of a publicly accessible web server front-end (https), with an Oracle 9i back-end database. Both run on IBM RS/6000 platform w/64-bit AIX O/S). The scenario where the web server would be placed in DMZ and the database server in a restricted private zone, with holes punched through the firewall between DMZ and private zones is a dangerous proposition. Any suggestions regarding securing such a setup are welcome.ok, you have an application in an unsecure environment which has to access a database with sensible data. From my point of view you have some principle options for the setup: (r/w-database) 1) One DMZ and both the webserver and the database server inside - firewall rules denies access to the database server 2) One DMZ for the web server and a private DMZ for the database server - the firewall will only allow traffic in between over the oracle ports 3) like 2) but with a proxy in between that checks the SQLNet protokoll and is secured against buffer overflows - but that proxy does not exist iirc. 4) a dmz with the web-server and the database server intern 5) same like 4 but with the proxy From all of those 2 and 3 are those which I would build myself. Of course you have to harden both the application and the webserver and enable as much auditing as you can (and monitor the machines permanently - automatic preferred). And - the most important thing - let the managers (and your customer) sign a paper that you are allowed to patch the server as fast as possible (even in the middle of the day) if there are major security patches issued from the vendors (like the SQLNet/listener bugs which showed up last year in Oracle more than once). If you do it right, nothing should happen. Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Bis zu 100 MB Speicher bei http://premiummail.yahoo.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing www server w/Oracle back end. Georges Jahchan (Mar 18)
- RE: Securing www server w/Oracle back end. Ben Nagy (Mar 18)
- Re: Securing www server w/Oracle back end. m p (Mar 18)
- Re: Securing www server w/Oracle back end. stefmit (Mar 22)