Re: [fw-wiz] Securing www server w/Oracle back end.
From: stefmit (email@example.com)
From: stefmit <firstname.lastname@example.org> To: Firewall Wizards <Firewall-Wizards@Honor.ICSAlabs.com> Date: Sat, 22 Mar 2003 17:42:29 -0600
The way I did it was with a third layer consisting of an Apache with proxy
enabled, setup in the DMZ - passing back the requests into the internal web
server, which - also internally - would pass on requests to the database
server. The Linux is setup with the latest and greatest patches ... and prone
to be taken out if any intrusion is detected, without any impact to the
internal users (who would still access the "real" web server). One thing I
was able to address with this was SQL injection (see NGGSoftware's papers
about it) - which would fail because of the redirection (i.e. even if new SQL
injection flaws would be discovered in Oracle, they would still fail, as the
"real" web server is "hidden" ... Another obvious thing addressed was that
the "real" web server would be inaccessible from outside, of course (the only
system allowed to come "through" the firewall into its SSL-enabled services
being the Linux/Apache proxy).
On Tuesday 18 March 2003 10:36 am, m p wrote:
> --- Georges Jahchan <email@example.com> schrieb:
> > I have been assigned the task of planning the security setup for a (to
> > be deployed) online system consisting of a publicly accessible web
> > server front-end (https), with an Oracle 9i back-end database. Both run
> > on IBM RS/6000 platform w/64-bit AIX O/S).
> > The scenario where the web server would be placed in DMZ and the
> > database server in a restricted private zone, with holes punched through
> > the firewall between DMZ and private zones is a dangerous proposition.
> > Any suggestions regarding securing such a setup are welcome.
> ok, you have an application in an unsecure environment which has to access
> a database with sensible data.
> From my point of view you have some principle options for the setup:
> 1) One DMZ and both the webserver and the database server inside - firewall
> rules denies access to the database server
> 2) One DMZ for the web server and a private DMZ for the database server -
> the firewall will only allow traffic in between over the oracle ports
> 3) like 2) but with a proxy in between that checks the SQLNet protokoll and
> is secured against buffer overflows - but that proxy does not exist iirc.
> 4) a dmz with the web-server and the database server intern
> 5) same like 4 but with the proxy
> From all of those 2 and 3 are those which I would build myself.
> Of course you have to harden both the application and the webserver and
> enable as much auditing as you can (and monitor the machines permanently -
> automatic preferred).
> And - the most important thing - let the managers (and your customer) sign
> a paper that you are allowed to patch the server as fast as possible (even
> in the middle of the day) if there are major security patches issued from
> the vendors (like the SQLNet/listener bugs which showed up last year in
> Oracle more than once).
> If you do it right, nothing should happen.
> Hope that helps
> Gesendet von Yahoo! Mail - http://mail.yahoo.de
> Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
> firewall-wizards mailing list
firewall-wizards mailing list