Hi,
The growing number of questions and lack of solutions regarding
firewalls between web servers and databases got me thinking.
Why not put the CGI guts inside the firewall? On the web server
the CGI just calls a stub which makes a network call through
the firewall (using something like a plug-gw) to a well-mashed
"httpd" on the inside that knows only how to fork a CGI program
and pass it the args it receives on stdin. Or all the CGI programs
on the web server are replaced with one that just passes everything
to the bastion host. What we have is therefore:
+------------+
| httpd |
+------------+
|CGI frontend| External Web Server
+------------+
|
|
+------------+
| plug-gw | Bastion Host
+------------+
|
|
+------------+
|pseudo-httpd|
+------------+
| real CGI | Internal Host(s)
+------------+
|
|
+------------+
| database |
+------------+
This has a number of advantages:
1) independent of database at the firewall (no special proxies reqd)
2) always connects at known port on firewall
3) no external access to the database
4) it's simple
5) probably other things I can't think of right now
Disadvantages?
1) need to modify the external CGI scripts or replace them with a
generic one that does GET/POST through the firewall
2) no one has written any of this yet
3) prbably others
Comments?
Colin
Follow-Ups:
|
|
