Melvin Smith wrote:
: I need to allow WWW (https) in. We use ORACLE ProC to connect
: locally to the db. I've been told we need to put the Web
: server on an external bastion services host, but I don't want
: the database external, so I'm thinking I have 2 options:
: 1) Put WWW internal.
: So I need to use transparent proxy? (correct term?)
That would work, but is not recommended. It also means that if there
is a flaw in your web server that an attacker can exploit, the
attacker will be *inside* your site perimeter after the attack
succeeds. This is generally considered a bad thing.
: 2) Put WWW external on bastion host and run a ORACLE listener
: process on it to access the db inside the firewall?
This is better. You are trying to give attackers as many walls to
batter through as possible on the hope that they'll trip over
something noisy before they do too much damage. A dual homed
approach is even better, so that Internet users can't create
or forge SQL*Net statements and send them into your server.
The true paranoids host the Web server on a host with strong
protection against misbehavior by penetrated applications (like a
Sidewinder or B1/CMWish system).
Rick.
smith @
sctc .
com secure computing corporation
Follow-Ups:
|
|
