Re: [fw-wiz] Sources for Extranet Designs?

From: Dragos Ruiu (dr_at_dursec.com)
Date: 02/24/04

  • Next message: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?"
    To: "Marcus J. Ranum" <mjr@ranum.com>, dan@linder.org, "Baumann, Sean C." <Sean.Baumann@celera.com>
    Date: Mon, 23 Feb 2004 15:24:39 -0800
    
    

    On February 23, 2004 01:56 pm, Marcus J. Ranum wrote:
    > Daniel Linder wrote:
    > >Is there such thing as a SQL front end proxy? I would think with more
    > >security devices employing "layer 8" (yeech, marketing speak) filtering a
    > >SQL security proxy that could be programmed with limits such as
    > >databases/tables/columns, number of rows returned, etc this might be a
    > >good first line of defense...
    >
    > Yeah, it's called "Oracle" ;)
    >
    > The principle behind proxies* is that they:
    > a) Are minimized (in terms of implementation)
    > b) Rigorously check for and exclude errors in their input
    > c) Implement a subset of an application protocol
    > -or-
    > Implement an application protocol with the ability to control
    > operations to a subset of the protocol's ops
    > d) Does so only after a security analyst has spent actual
    > brain-cycles thinking about the implications of
    > allowing that operation through the proxy
    > e) Log transactions based on operations
    > f) Ideally are designed to run in a restricted environment
    > if the underlying operating system permits such a
    > thing

    At CanSecWest this year Ulf Mattson will be presenting a paper on
    SQL based IPS. No warranty implied, but I'll be looking forward to
    seeing what he's come up with.

    cheers,
    --dr

    -- 
    Top security experts.  Cutting edge tools, techniques and information.
    Vancouver, Canada	April 21-23 2004  http://cansecwest.com
    pgpkey http://dragos.com/ kyxpgp
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?"

    Relevant Pages

    • Re: How to do non dependence on database vendor?
      ... >>> You could actually get away with only a single proxy if you use ... >> The interface approach seems more scalable and contained. ... >>> layer, focusing on storing and retrieval of the explicit data, but free ... >>> the future want to make use of another DB than those supporting SQL. ...
      (microsoft.public.dotnet.languages.csharp)
    • RE: [fw-wiz] Sources for Extranet Designs?
      ... >Is there such thing as a SQL front end proxy? ... the very first firewall toolkit SMTP proxy understood ... an unusual state (for example the old guest FTP login disconnect ...
      (Firewall-Wizards)
    • Re: SQL Server 2005 SSIS Paket mit Task: Dateisystem
      ... Da ich die Dateien über einen WEB Server mit SQL Server 2000 Datenbank zum Download anbiete, habe ich den Job auf dem SQL Server 2000 als Script eingerichtet. ... Ich habe einen SQL Server-Agent Proxy angelegt. ... Unter Prinzipale habe ich den Benutzer eingetragen. ...
      (microsoft.public.de.sqlserver)
    • Remote access to SQLServer using SSL via reverse proxy server
      ... Does an SQL application layer content scanner exist for ISAserver or any ... other common reverse proxy server? ... understands the basic structure of SQL and can content scan an incoming ODBC ... packet for any embedded malware before passing it to SQLserver. ...
      (microsoft.public.sqlserver.connect)
    • Re: SQL Agent Non SysAdmin Job Proxy User Account
      ... "Unable to set the SQL Agent Proxy Account because of the reason ... "How to configure a SQL Server Agent proxy account to enable ...
      (microsoft.public.de.sqlserver)