network architecture related to db security - needed

From: Bob Ababurko (bob_at_webstakez.com)
Date: 11/27/05

  • Next message: Murad Talukdar: "RE: ZoneAlarm" 
    Date: Sun, 27 Nov 2005 14:43:49 -0500
To: security-basics@securityfocus.com

    I am trying to figure out the best possible implementation to keep a db
    safe that is going to used as a backend for publicly accessible web
    services (Internet). What are the better or best ways to protect the db
    from being hacked OR what are the ways that the web machines will access
    them?

    I am not sure if a dmz would be best as I am thinking if someone got
    into the web box(on the DMZ) that they will have a clear shot going to
    the db if we have the port wide open for the two to communicate(say 3306
    for mysql communication). Plus typically, there will be logins for the
    db that the php scripts that are running that need to access the db.
    Yes, these web boxen will also be running php, so I envision wanting to
    use some sort of encoding or encryption for these sensitive php files.
    Do I run the db connection over an ssh tunnel on my network, so that
    only port 22 is accessible between the db and web/php boxen? That makes
    good sense, but I am concerned with the overhead ssh brings and keeping
    an already somewhat latent connection between separate db and
    web/php(considering db and web on the same box is the quickest way to
    communicate...sockets).

    I am just wondering the ways that admins choose to secure these
    connections. These seems like some of the hardest machines to secure
    and I cannot seem to find much out there in this regard. Many other
    services seem more straight forward, so this is also more interesting to
    me as well. Please share your ideas for the most secure db security so
    that we may learn.

    Kind Regards,
    Bob Ababurko

  • Next message: Murad Talukdar: "RE: ZoneAlarm"