Re: [fw-wiz] Securing www server w/Oracle back end.
From: m p (sumirati@yahoo.de)
Date: 03/18/03
- Previous message: Ben Nagy: "RE: [fw-wiz] Securing www server w/Oracle back end."
- In reply to: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."
- Next in thread: stefmit: "Re: [fw-wiz] Securing www server w/Oracle back end."
- Reply: stefmit: "Re: [fw-wiz] Securing www server w/Oracle back end."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: m p <sumirati@yahoo.de> To: GJahchan@Balamand.edu.lb, Firewall Wizards <Firewall-Wizards@Honor.ICSAlabs.com> Date: Tue, 18 Mar 2003 17:36:20 +0100 (CET)
--- Georges Jahchan <georges.jahchan@balamand.edu.lb> schrieb:
> I have been assigned the task of planning the security setup for a (to
> be deployed) online system consisting of a publicly accessible web
> server front-end (https), with an Oracle 9i back-end database. Both run
> on IBM RS/6000 platform w/64-bit AIX O/S).
>
> The scenario where the web server would be placed in DMZ and the
> database server in a restricted private zone, with holes punched through
> the firewall between DMZ and private zones is a dangerous proposition.
>
> Any suggestions regarding securing such a setup are welcome.
>
ok, you have an application in an unsecure environment which has to access a
database with sensible data.
From my point of view you have some principle options for the setup:
(r/w-database)
1) One DMZ and both the webserver and the database server inside - firewall
rules denies access to the database server
2) One DMZ for the web server and a private DMZ for the database server - the
firewall will only allow traffic in between over the oracle ports
3) like 2) but with a proxy in between that checks the SQLNet protokoll and is
secured against buffer overflows - but that proxy does not exist iirc.
4) a dmz with the web-server and the database server intern
5) same like 4 but with the proxy
From all of those 2 and 3 are those which I would build myself.
Of course you have to harden both the application and the webserver and enable
as much auditing as you can (and monitor the machines permanently - automatic
preferred).
And - the most important thing - let the managers (and your customer) sign a
paper that you are allowed to patch the server as fast as possible (even in the
middle of the day) if there are major security patches issued from the vendors
(like the SQLNet/listener bugs which showed up last year in Oracle more than
once).
If you do it right, nothing should happen.
Hope that helps
Marc
__________________________________________________________________
Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ben Nagy: "RE: [fw-wiz] Securing www server w/Oracle back end."
- In reply to: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."
- Next in thread: stefmit: "Re: [fw-wiz] Securing www server w/Oracle back end."
- Reply: stefmit: "Re: [fw-wiz] Securing www server w/Oracle back end."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
