Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer limit

On Jan 15, 2009, at 2:45 PM, Chuck Swiger wrote:
The typical solution to accessing a database behind a firewall is to set up a VPN connection, and not to disable the firewall.

Permitting the entire Internet to access your database means you are trusting Oracle's security. Even if you don't care about the integrity of your data, you'd also put the machine running Oracle itself at risk of compromise as well:

But what about the case where a web server on the DMZ network and interface on a 3 (or more) interface
firewall accesses an Oracle database server which is located on a higher security level network protected
by a different interface on the same firewall?

The SQL query will also have to go through the firewall to go from the DMZ WWW server to the DB server --
I don't believe most experts would argue that the WWW server should build a VPN connection to the
database server on the more secure network. In most cases you do not want the public facing Web server
to have unrestricted access to all of the ports on the DB server nor unrestricted access to the network it is on.


firewall-wizards mailing list