1) Should the SQL Server be behind the firewall? The answer
seems to me to be yes - if so, what port do I have to open
to allow communication between the Web/CF Server and the
SQL Server so that they can still talk to each other. Our
intranet (LAN users) and website (WAN) users need to
Dave,
Can you speak to the possible vulnerabilities involved with setting up a
separate web resource domain for the hosts in the DMZ and using trust
relationships to specify access to internal resources? I have a client set
up this way. I thought the arrangement was fairly elegant with good
Hello all,
This may seem sort of off topic and I apologize if it is, but it does
involve a Cold Fusion server and I think you guys/gals would likely know the
answer.
Here goes:
We are attempting to secure our network which was admittedly *not secure*
before. So, we have purchased a 3COM
On 6/27/02, Dustin Snell [Unisyn Software, LLC] penned:
We are attempting to secure our network which was admittedly *not secure*
before. So, we have purchased a 3COM Superstack 3 firewall which is up and
running and seems to be working great. I am wondering what the recommended
topology should
putting the webserver in the DMZ is a good idea, since the majority of web
server compromises are via port 80 anyway. and the principle of the DMZ
(isolated public servers such that, if they are compromised, they cannot be
used as bastion hosts for attacks) applies here.
-Original
I agree, thanks for your help!
-Dustin Snell
Unisyn Software, LLC
- Original Message -
From: Christopher Olive [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, June 27, 2002 1:17 PM
Subject: RE: Firewall configuration for CF and SQL (sort of OT)
putting the webserver in
oh, and as a side note, i run DNS on two sub $400 machines (each) using RH
7.2 and BIND 9.x.
chris.
-Original Message-
From: Dustin Snell [Unisyn Software, LLC]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 4:33 PM
To: CF-Talk
Subject: Re: Firewall configuration for CF and
Both the SQL server *and* the CF server should be behind the firewall...the
web server should be the only element in the DMZ. It's called setting CF up
in distributed mode. Check details in the admin guide...if ur stuck pop
back here and I can help ya out...
STace
-Original Message-
The only thing that should be in your DMZ is a web server with port 443 and
80 open through the firewall...You need can point the web server connector
to a remote CF machine to render your templates
Stace
-Original Message-
From: Bud [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June
out of curiosity, why would you want to separate the CF API from the
webserver with regards to security? that setup doesn't seem to lend itself
to being more secure.
-Original Message-
From: Stacy Young [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 5:47 PM
To: CF-Talk
Sure it does. If the web server is compromised in the DMZ, the infiltrators
have nothing...no executable code or template exists and there's nowhere to
go...all sensitive information is contained on the remote CF application
server residing in the MZ...including the source code of all your
out of curiosity, why would you want to separate the CF
API from the webserver with regards to security? that
setup doesn't seem to lend itself to being more secure.
Sure it does. If the web server is compromised in the DMZ,
the infiltrators have nothing...no executable code or
Actually I messed up on my original post...It's not port 80 and ssl...it's
the jrun proxy port in the case of mx...and previous versions it's a config
file that operates with the cfdist process to link up the apache module and
the back end server. In addition the communication between the module
Right Dave...my point being that you leave as little as possible on the
exposed web server to minimize risk. Then cross your fingers... ;-)
-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 27, 2002 11:22 PM
To: CF-Talk
Subject: RE: Firewall
the communication between the module and the cf app server
can be encrypted in itself in case there are listeners
Yes, but that's only relevant in the case of a third-party listener, between
the two endpoints - just like SSL between a browser and a server. On either
of the endpoints, the
15 matches
Mail list logo