Database lookups across firewall

Ryan Russell ryanr@sybase.com
Tue, 16 Jun 1998 09:38:28 -0700


1) I don't see the extra protection in the second machine,
assuming they're both on the DMZ.  If you're saying that the second
machine is inside, then that's worse, as you now have a web server
on the DMZ able to execute CGI on an inside machine.

2) Really, really bad.  Don't do this.  When the web server gets
compromised,
it has full access to the inside because it's inside.

3) This is the choice I usually pick, if it's workable in your situation.
Let
me be a bit more specific, though.  My favorite setup is to have an
inside machine replicate/push the needed data out to the DMZ
machine.  Once it's there, the web server just does local lookups.
This way, the inside machine gets to control when the connection
is up, and acts as a client, reducing risk somewhat.  One reason this
arrangement wouldn't be workable is if the data gets updated too often
to replicate.

and I'll add one:

4) Allow the DMZ web server to do your favorite flavor of SQL lookup
to an inside databse server.  This has the advantage that the data
is always up to date, and changes are reflected immediatly.

Number 4 is my second choice.

In any of the situations, what you're trying to protect is the database
contents.
If you have a DMZ server that has access to the data, and that server
gets compromised, then the attacker has the data.  There is no way
around that.  In situation number 3, they have only the data that's on the
server, and hopefully you've kept the minimum amount possible out there.
In situation number 4, they have access to possibly all the data on the
whole database server, assuming there is more than just the stuff the
web app uses.  Depending on your firewall structure, they may also
have part of a hole to the inside to play with.

                         Ryan






"Rick Horne" <rick_horne@hotmail.com> on 06/15/98 09:21:36 AM

Please respond to "Rick Horne" <rick_horne@hotmail.com>

To:   firewall-wizards@nfr.net
cc:    (bcc: Ryan Russell/SYBASE)
Subject:




Hello,
     I'm looking for information on the best way to allow our web server to
access an internal database.  We are beginning an Internet commerce
site.  I've heard of several techniques:
1) The web server has wrapper/stub cgi programs that call cgi routines
on a second external box that has permission to cross the firewall
(a.k.a. a cgi reflector)
2) Move the web server inside and proxy it out to the Internet.
3) Export database to external server and allow web server to hit that
db.

I know that many thousands of companies are doing commerce but I've been
unable to find a best practices document or other such info.

Thanks in advance for any comments, info, or pointers to where I can
find some info.

Rick



______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com


Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 88256625.0023B254;
Mon, 15 Jun 1998 23:29:54 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id XAA18742; Mon, 15 Jun 1998 23:27:38 -0700 (PDT)
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA02566; Mon, 15 Jun 98 23:27:38 PDT
Received: from nfr.net (tower.nfr.net [208.196.145.10])
          by inergen.sybase.com (8.8.4/8.8.4) with ESMTP
       id XAA17370; Mon, 15 Jun 1998 23:29:01 -0700 (PDT)
Received: (from lists@localhost)
     by nfr.net (8.8.8/8.8.8) id VAA00073
     for firewall-wizards-outgoing; Mon, 15 Jun 1998 21:08:25 -0500 (CDT)
Received: (from fwiz@localhost)
     by nfr.net (8.8.8/8.8.8) id VAA00063
     for firewall-wizards@nfr.net; Mon, 15 Jun 1998 21:08:18 -0500 (CDT)
Received: from hotmail.com (f33.hotmail.com [207.82.250.44])
     by nfr.net (8.8.8/8.8.8) with SMTP id LAA26887
     for <firewall-wizards@nfr.net>; Mon, 15 Jun 1998 11:17:55 -0500 (CDT)
Received: (qmail 4009 invoked by uid 0); 15 Jun 1998 16:21:37 -0000
Message-Id: <19980615162137.4008.qmail@hotmail.com>
Received: from 161.156.101.7 by www.hotmail.com with HTTP;
     Mon, 15 Jun 1998 09:21:36 PDT
X-Originating-Ip: [161.156.101.7]
From: "Rick Horne" <rick_horne@hotmail.com>
To: firewall-wizards@nfr.net
Content-Type: text/plain
Date: Mon, 15 Jun 1998 09:21:36 PDT
Sender: owner-firewall-wizards@nfr.net
Precedence: bulk
Reply-To: "Rick Horne" <rick_horne@hotmail.com>