Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer limit



Although I would not argue the VPN solution being secure. The reason most do not do this is because thousands of web queries would take forever to process to a SQL server due to the encryption. It would have to be done at the client level as well, since you cannot terminate a LAN2LAN on a host, or an ISA server. This may have been a bad presumption on my part, but who said this was a database to a webserver. I see no indication that this is a public facing box on the internet. There are no IP addresses and no interfaces indicating so. This could be two firewalls deep for layered protection and could have a proxy front end, or a back-end frame-relay.


Thank You,

Chris Myers
clmmacunix@xxxxxxxxxxx

John 1:17
For the Law was given through Moses; grace and truth were realized through Jesus Christ.


TIFF image

Go Vols!!!!

On Jan 16, 2009, at 6:06 AM, Morrow Long wrote:

On Jan 15, 2009, at 2:45 PM, Chuck Swiger wrote:
The typical solution to accessing a database behind a firewall is to set up a VPN connection, and not to disable the firewall.

Permitting the entire Internet to access your database means you are trusting Oracle's security. Even if you don't care about the integrity of your data, you'd also put the machine running Oracle itself at risk of compromise as well:

But what about the case where a web server on the DMZ network and interface on a 3 (or more) interface
firewall accesses an Oracle database server which is located on a higher security level network protected
by a different interface on the same firewall?

The SQL query will also have to go through the firewall to go from the DMZ WWW server to the DB server --
I don't believe most experts would argue that the WWW server should build a VPN connection to the
database server on the more secure network. In most cases you do not want the public facing Web server
to have unrestricted access to all of the ports on the DB server nor unrestricted access to the network it is on.

Morrow

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN with SBS 2003 (not R2) and DSL.
    ... Reading property value for VPN returned OK ... Reading VPN Server Name returned OK ... identical network cards. ... it seems doubtful that SBS will work properly with two NICs ...
    (microsoft.public.windows.server.sbs)