Re: [fw-wiz] Sources for Extranet Designs?

From: Dragos Ruiu (dr_at_dursec.com)
Date: 02/24/04

  • Next message: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?" 
    To: "Marcus J. Ranum" <mjr@ranum.com>, dan@linder.org, "Baumann, Sean C." <Sean.Baumann@celera.com>
Date: Mon, 23 Feb 2004 15:24:39 -0800

    On February 23, 2004 01:56 pm, Marcus J. Ranum wrote:
    > Daniel Linder wrote:
    > >Is there such thing as a SQL front end proxy? I would think with more
    > >security devices employing "layer 8" (yeech, marketing speak) filtering a
    > >SQL security proxy that could be programmed with limits such as
    > >databases/tables/columns, number of rows returned, etc this might be a
    > >good first line of defense...
    >
    > Yeah, it's called "Oracle" ;)
    >
    > The principle behind proxies* is that they:
    > a) Are minimized (in terms of implementation)
    > b) Rigorously check for and exclude errors in their input
    > c) Implement a subset of an application protocol
    > -or-
    > Implement an application protocol with the ability to control
    > operations to a subset of the protocol's ops
    > d) Does so only after a security analyst has spent actual
    > brain-cycles thinking about the implications of
    > allowing that operation through the proxy
    > e) Log transactions based on operations
    > f) Ideally are designed to run in a restricted environment
    > if the underlying operating system permits such a
    > thing

    At CanSecWest this year Ulf Mattson will be presenting a paper on
    SQL based IPS. No warranty implied, but I'll be looking forward to
    seeing what he's come up with.

    cheers,
    --dr 

    -- 
Top security experts.  Cutting edge tools, techniques and information.
Vancouver, Canada	April 21-23 2004  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?"

    Relevant Pages

    • Re: How to do non dependence on database vendor?
      ... >>> You could actually get away with only a single proxy if you use ... >> The interface approach seems more scalable and contained. ... >>> layer, focusing on storing and retrieval of the explicit data, but free ... >>> the future want to make use of another DB than those supporting SQL. ...
      (microsoft.public.dotnet.languages.csharp)
    • RE: [fw-wiz] Sources for Extranet Designs?
      ... >Is there such thing as a SQL front end proxy? ... the very first firewall toolkit SMTP proxy understood ... an unusual state (for example the old guest FTP login disconnect ...
      (Firewall-Wizards)
    • Re: SQL Server 2005 SSIS Paket mit Task: Dateisystem
      ... Da ich die Dateien über einen WEB Server mit SQL Server 2000 Datenbank zum Download anbiete, habe ich den Job auf dem SQL Server 2000 als Script eingerichtet. ... Ich habe einen SQL Server-Agent Proxy angelegt. ... Unter Prinzipale habe ich den Benutzer eingetragen. ...
      (microsoft.public.de.sqlserver)
    • Re: SQL Agent Non SysAdmin Job Proxy User Account
      ... "Unable to set the SQL Agent Proxy Account because of the reason ... "How to configure a SQL Server Agent proxy account to enable ...
      (microsoft.public.de.sqlserver)
    • Re: [fw-wiz] Protocol inspection
      ... application proxy (SQL proxy that filters out all queries by default except those that match specific criteria, ... (Actually SQL injection is in the http request, and in case of POST, ...
      (Firewall-Wizards)