Re: [fw-wiz] Securing www server w/Oracle back end.

From: stefmit (stefmit@comcast.net)
Date: 03/23/03

  • Next message: John Madden: "[fw-wiz] Cisco PIX Questions"
    From: stefmit <stefmit@comcast.net>
    To: Firewall Wizards <Firewall-Wizards@Honor.ICSAlabs.com>
    Date: Sat, 22 Mar 2003 17:42:29 -0600
    

    The way I did it was with a third layer consisting of an Apache with proxy
    enabled, setup in the DMZ - passing back the requests into the internal web
    server, which - also internally - would pass on requests to the database
    server. The Linux is setup with the latest and greatest patches ... and prone
    to be taken out if any intrusion is detected, without any impact to the
    internal users (who would still access the "real" web server). One thing I
    was able to address with this was SQL injection (see NGGSoftware's papers
    about it) - which would fail because of the redirection (i.e. even if new SQL
    injection flaws would be discovered in Oracle, they would still fail, as the
    "real" web server is "hidden" ... Another obvious thing addressed was that
    the "real" web server would be inaccessible from outside, of course (the only
    system allowed to come "through" the firewall into its SSL-enabled services
    being the Linux/Apache proxy).

    HTH,
    Stef

    On Tuesday 18 March 2003 10:36 am, m p wrote:
    > --- Georges Jahchan <georges.jahchan@balamand.edu.lb> schrieb:
    > > I have been assigned the task of planning the security setup for a (to
    > > be deployed) online system consisting of a publicly accessible web
    > > server front-end (https), with an Oracle 9i back-end database. Both run
    > > on IBM RS/6000 platform w/64-bit AIX O/S).
    > >
    > > The scenario where the web server would be placed in DMZ and the
    > > database server in a restricted private zone, with holes punched through
    > > the firewall between DMZ and private zones is a dangerous proposition.
    > >
    > > Any suggestions regarding securing such a setup are welcome.
    >
    > ok, you have an application in an unsecure environment which has to access
    > a database with sensible data.
    >
    > From my point of view you have some principle options for the setup:
    >
    > (r/w-database)
    > 1) One DMZ and both the webserver and the database server inside - firewall
    > rules denies access to the database server
    > 2) One DMZ for the web server and a private DMZ for the database server -
    > the firewall will only allow traffic in between over the oracle ports
    > 3) like 2) but with a proxy in between that checks the SQLNet protokoll and
    > is secured against buffer overflows - but that proxy does not exist iirc.
    > 4) a dmz with the web-server and the database server intern
    > 5) same like 4 but with the proxy
    >
    > From all of those 2 and 3 are those which I would build myself.
    >
    > Of course you have to harden both the application and the webserver and
    > enable as much auditing as you can (and monitor the machines permanently -
    > automatic preferred).
    >
    > And - the most important thing - let the managers (and your customer) sign
    > a paper that you are allowed to patch the server as fast as possible (even
    > in the middle of the day) if there are major security patches issued from
    > the vendors (like the SQLNet/listener bugs which showed up last year in
    > Oracle more than once).
    >
    > If you do it right, nothing should happen.
    >
    > Hope that helps
    >
    > Marc
    >
    >
    > __________________________________________________________________
    >
    > Gesendet von Yahoo! Mail - http://mail.yahoo.de
    > Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: John Madden: "[fw-wiz] Cisco PIX Questions"

    Relevant Pages

    • Re: Best practice to setup a DMZ? (hyperV and guests)
      ... this time with an edge server (its my understanding that the ... So my goal here is to setup this edge server for OCS and setup exchange 2010 ... correctly dmz wise (not clear on how that would be yet.. ... The most common setup is the back to back firewall model, where you have one firewall between the Internet and the DMZ and another between the DMZ and the LAN. ...
      (microsoft.public.windows.server.networking)
    • Re: DMZ and file sharing
      ... Never ever use DMZ, a) its an open unlocked door with a big sign saying your ... save/retreive files to/from a restricted area on the LAN. ... and only server. ... You need to consider the safety of the LAN when the web server gets ...
      (microsoft.public.windows.server.sbs)
    • Re: Need help w/ multi homed server
      ... Personally, I wouldn't use the type of setup you described at all, instead I ... it's a MS SQL server) from the webserver, and only the webserver to the SQL ... The setup you are describing defeats the purpose of setting up a DMZ. ... We have two NICs in this machine that will be hosting this app. ...
      (microsoft.public.win2000.networking)
    • Best practice to setup a DMZ? (hyperV and guests)
      ... I've never set up a dmz to this day.. ... this time with an edge server (its my understanding that the ... So my goal here is to setup this edge server for OCS and setup exchange 2010 ... port of the hyperV server and one on the associated guest or guests (2 in the ...
      (microsoft.public.windows.server.networking)
    • Configuring PIX 515 for OWA in DMZ
      ... Currently I have just a web server and a Linux mail ... I want to move the web server and mail server into the DMZ for more ... access-group 110 in interface outside ...
      (comp.security.firewalls)