RE: [fw-wiz] Sources for Extranet Designs?
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 02/23/04
- Previous message: Jim Seymour: "RE: [fw-wiz] Sources for Extranet Designs?"
- In reply to: Daniel Linder: "RE: [fw-wiz] Sources for Extranet Designs?"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Dragos Ruiu: "Re: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: dan@linder.org, "Baumann, Sean C." <Sean.Baumann@celera.com> Date: Mon, 23 Feb 2004 16:56:59 -0500
Daniel Linder wrote:
>Is there such thing as a SQL front end proxy? I would think with more
>security devices employing "layer 8" (yeech, marketing speak) filtering a
>SQL security proxy that could be programmed with limits such as
>databases/tables/columns, number of rows returned, etc this might be a
>good first line of defense...
Yeah, it's called "Oracle" ;)
The principle behind proxies* is that they:
a) Are minimized (in terms of implementation)
b) Rigorously check for and exclude errors in their input
c) Implement a subset of an application protocol
-or-
Implement an application protocol with the ability to control
operations to a subset of the protocol's ops
d) Does so only after a security analyst has spent actual
brain-cycles thinking about the implications of
allowing that operation through the proxy
e) Log transactions based on operations
f) Ideally are designed to run in a restricted environment
if the underlying operating system permits such a
thing
For example, the very first firewall toolkit SMTP proxy understood
HELO
MSG
RCPT
DATA
QUIT
and *only* in that *exact* *order*. Downhill. With a tailwind. Other operations
were added later but only after considerable thought and discussion.
So, for a database, the thing you'd want to do (ahem) is to implement an
API that allowed just the operations that you wanted to allow, and no
others. This, of course, is extremely difficult if you're dealing with an
app that has been mis-designed along the premise that all SQL operations
would be available to the end user. Of course SQL operations are very
complex things in and of themselves, etc, etc.
The theory is that by reducing the set of operations to the minimum
that is necessary, you've reduced the likelihood that a bad guy can
introduce an abnormal sequence of operations or put the server into
an unusual state (for example the old guest FTP login disconnect
login as root attack) - when your application's potential number of
states gets too large it's, by definition, an interactive shell. ;) The
same logic applies at a network level. Once you let too many
streams of data through, your firewall is, by definition, a hub.
mjr.
(* Lest we debate the definition of "application proxy" here, I'd like
to mention that I coined the term so I probably have no idea how
the marketing weenies use the term these days.)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Jim Seymour: "RE: [fw-wiz] Sources for Extranet Designs?"
- In reply to: Daniel Linder: "RE: [fw-wiz] Sources for Extranet Designs?"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Dragos Ruiu: "Re: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
