Melvin and Mark,
Mark's No 4 architecture is my favorite.
> [Internet]---[FWALL]----[Company Net]---[SQL Server]
In addition, Oracle now has an SQL Proxy (sort of) it licensed/gave to
any interested firewall vendors. Look for new firewall releases with
it. The Proxy does not do much but it does let you restrict by source
IP address, destination IP and destination Database name. So only your
Webserver can access the SQL Server.
Better yet, extact your "public" data from your SQL server and stick it
in a "sacrificial" database. That database can be on your SQL server or
better yet on a second "mirror" server with read only access from the
Webserver. You can also extract the "Public" data from the SQL Server
and either FTP it or do an SQL database update to the sacrificial
database, which can now run on the Webserver itself. The firewall acts
as a one way gate - only file transfer traffic initiated by the internal
system is allowed.
If you need to get database updates you can poll the DMZ database for
extracts - again initiated by the internal system. The worst you get is
a corrupt database update file and denial of Webserver availability. (I
know, both can be bad!)
Adam Safier asafier @
CSC-SED-Infosec (301) 794-1349
Technology Abuse: Netscape Frames on a 14" screen.
Kerberos is a three headed bitch (just look carefully at the MIT logo:)
The above are my own opinions,
and I'm proud to live in a country where I'm free to express them!