>Date: Wed, 02 Apr 1997 10:22:20 +0530
>From: "Prabhakar D. Mallya" <pdmallya @
Inf .
COM>
>To: firewalls @
greatcircle .
com
>Cc: John Kerr <jkerr2 @
csc .
com>
>Subject: Re: Firewall Architecture for Web, Database
>John Kerr wrote:
>>
>> A customer of ours has asked about setting up a security architecture
>> with the Firewall being the main focus. They would like to allow access
>> into their Database inside of the Firewall opposed to having a Database
>> Server that would sit outside the Firewall. They seem to be okay with
>> having a Web server sitting outside the Firewall, so I don't see that as
>> a problem. The problem that they are trying to avoid is having to copy
>> or replicate the data to the Database Server (too time consuming). What
>> are the dangers with adding a third interface to the Firewall and
>> putting the Database on a seperate DMZ. It would look like this:
>>
>> Internet
>> |
>> | ---------- ---------
>> | -Database- - Web -
>> | ---------- ---------
>> --------- | |
>> - FW ------------------------------
>> ---------
>> |
>> |
>> |
>> Internal
>> Network
>>
>> Rules would be put on the firewall to only allow external access from
>> the internet to the DMZ. We would not allow any access from the DMZ
>> into the internal Network.
>> Any suggestions would be appreciated.
>> Thanks
>> John
>
>Hi,
>
>I'm faced with similar requirements, and I'm evaluating alternatives. My
>analysis, so far, of this situation:
>
>1. The database server and the Web server are open to attack, wherever
>you place them, because you want to allow external users to access them.
>
>2. The rationale for placing these servers in the DMZ is that even if
>they are compromised, the rest of your network is still protected by the
>firewall; the damage is contained to these servers.
>
To ensure that, your rules on the firewall must not permit any access from the
DMZ to the internal network.
>3. You can use the firewall to protect your Web & Database servers by
>configuring it to reject all traffic between the Internet and the DMZ,
>except HTTP browser traffic with the Web Server. The DataBase Server
>should be accessible from the Web Server and from the Internal network.
>Perhaps you could increase protection to the database server by placing
>it on a fourth network segment connected to the firewall.
>
> Internet
> |
> ---------- | ---------
> -Database- | - Web -
> ---------- | ---------
> | --------- |
> ----------------- FW ------------------------
> ---------
> |
> |
> |
> Internal
> Network
>
>4. You still have to protect your Web server - e.g., against malicious
>CGI scripts. I think TIS (http://www.tis.com) have a product for Web
>server protection.
>
The product is called ForceField, it is actually a modified version of the TIS
Firewall Toolkit (FWTK) and is available for evaluation.
>5. You still have to protect your database server - e.g., you need to
>ensure that users, especially from the Web server, who access the
>database server cannot access data they are not authorized to access.
>
I would assume that direct access to the DB server is not permitted; all forms
of access should be via the Web server. You can rely on the access control
provided by the RDBMS but it can get sticky depending on the type of access
required. If the Web server is only going to query the DB server then things
would be cleaner; if write access is needed then you have to be careful.
Perhaps you may consider only putting a subset of your entire DB to be
accessible by the Web and not the entire DB.
If direct access to the DB via the Net (eg. Telnet or FTP) is required
then you have to consider strong authentication mechanism eg. token-based or
OTP-based.
Regards
Martin Khoo
Senior IT Architect (Security & Cryptography)
Information Infrastructure Group
National Computer Board
martin @
nii .
ncb .
gov .
sg
** Comments above are my personnal opinion and does not reflect
the opnion of my organisation **
>I would be interested in further views/analysis/security holes/solutions
>on this topic.
>
>Regards
>--
>Prabhakar D. Mallya
>Infosys Technologies, Bangalore, India
>http://www.inf.com/
>e-mail: pdmallya @
inf .
com
>phone: 91-80-8520261 xtn 1156
>fax: 91-80-8520348
>
---------------------------------------------------------
Get Your *Web-Based* Free Email at http://www.hotmail.com
---------------------------------------------------------
|
|
