>Around here, we assume that external machines are sacrificial lambs
>that can be broken into. Therefore, we don't allow them to directly
>access internal databases. Instead we're working with CGI proxies
>that have the actual CGI code run on an internal machine (of course,
>your CGI programs better be damn secure, and we have some tools to
>help that out but that's a different thread).
If you want to secure a Web server, you should check out Haystack Labs (the
IDS folks) new "WebStalker" product.
According to their literature, WebStalker watches all processess on the
entire Web server, cuts off abusive connections as they happen, and sends
immediate alarms with details of suspicious activities.
It watches for things like:
Illegal startup or termination of Seb server
Illegal process created by Web server
Illegal access to server application files
Illegal privilege escalation
Illegal jumper (network interloper)
>From the documentation, and my conversations with their folks, it seems
ideally positioned for those companies that want to connect their external
web platforms to internal databases.
Its available for Solaris for Sparc or Intel (with other platforms
supposedly coming to a server near you :-)
I have not seen this product in action yet (nor do I work for the company).
Just thought this might be appreciated by the folks following this thread.
You can check out their products at http://www.haystack.com
- Greg Brennan
Subject: Re: Web server updates and secure ac
Date: June 12, 1996 12:41PM
> I am looking for solutions or ideas on how to securely update a Web
> server that is located on the outside of a firewall from a host or
> workstation on the inside.
Since you didn't specify, I'm assuming you're talking about Unix here.
One good way is to use FTP mirroring with an internal machine.
If the internal machine executes the FTP and the external machine
uses TCP Wrappers to restrict what machines can FTP to it, it
can be pretty secure.
This can also work if the outside machine is running the NetWare
web server. You might have a bit of programming to do to get the FTP
mirror to run on a NetWare machine.
Don't know about NT.
> Also, what security methods exist for passing
> queries from the external Web server through the firewall to an SQL
> server on the inside?
Around here, we assume that external machines are sacrificial lambs
that can be broken into. Therefore, we don't allow them to directly
access internal databases. Instead we're working with CGI proxies
that have the actual CGI code run on an internal machine (of course,
your CGI programs better be damn secure, and we have some tools to
help that out but that's a different thread).
There are two CGI proxies we're using. One is home-built (and not
freely available). The other is a commercial FastCGI implementation
Christopher J. Calabrese
Novell IS&T Global Technical Architecture