A few sql 2000 related questions

["Foley, Denys" <Denys.Foley () xerox com>]

> One proposal I have is the following

> inet-->IPS-->fw->dmz (ssl) web server->fw->(ssl)sql server->vpn(with
> acls)->back office fw dmz->(ssl)back office feeder servers

> comments?

> other proposal is

> inet-->IPS-->fw->(ssl) inverse proxy->fw->(ssl) web server ->(ssl)sql
> server->vpn(with acls)->back office fw dmz->(ssl)back office feeder servers

> comments?


The problem with your two proposals is that the IPS is only able to see SSL encrypted packets. It will never see most 
attacks that are targeted at the application. You need to have another IPS sensor inside the DMZ and yet another in 
your backend area.  

The sensor outside your FW will be sounding alerts non stop all day and all night. You should log them and review them 
but don't get too excited.  

The one inside your DMZ is a bit more important and will not trigger as often - these alerts need attention.  Most 
attacks against WEB servers that are running SSL will not be seen until the server is compromised and it starts 
behaving in an unusual manner.  

The sensor that is back in your secure zone should be fairly quiet.  When it goes off you do want to react and react 
fast. This one should go to your pager and wake you up in the middle of the night. 

Host based IDS systems will catch attacks on individual servers running SSL - You can run both Network IDS and Host IDS 
and it is not the same level of paranoia as wearing a belt and suspenders. 



Denys Foley               
 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards