Re: Cisco ASA firewall: SQLnet inspection: buffer limit

[Morrow Long <morrow.long () yale edu>]

On Jan 15, 2009, at 2:45 PM, Chuck Swiger wrote:
> The typical solution to accessing a database behind a firewall is to 
> set up a VPN connection, and not to disable the firewall.
>
> Permitting the entire Internet to access your database means you are 
> trusting Oracle's security.  Even if you don't care about the 
> integrity of your data, you'd also put the machine running Oracle 
> itself at risk of compromise as well:

But what about the case where a web server on the DMZ network and 
interface on a 3 (or more) interface
firewall accesses an Oracle database server which is located on a 
higher security level network protected
by a different interface on the same firewall?

The SQL query will also have to go through the firewall to go from the 
DMZ WWW server to the DB server --
I don't believe most experts would argue that the WWW server should 
build a VPN connection to the
database server on the more secure network.  In most cases you do not 
want the public facing Web server
to have unrestricted access to all of the ports on the DB server nor 
unrestricted access to the network it is on.

Morrow

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards