Dave, are you a hacker at heart? :-) lol. This is good stuff fella's. So, with all that is said...what would be a (brief) list of best practices for securing a database while allowing remote connections?
(hope this isn't considered hijacking a thread) On 11/16/05, Mark A Kruger <[EMAIL PROTECTED]> wrote: > > yeah yeah... you still get what I'm saying - right? > > > -----Original Message----- > From: Russ [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 16, 2005 2:31 PM > To: CF-Talk > Subject: RE: DB connection question > > > Just one thing wrong with your 80/20 definition. There is no such thing as > 100% secure, not matter how much money you spend on it. What people need > to > decide is how much security is "good enough" for their data. > > -----Original Message----- > From: Mark A Kruger [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 16, 2005 3:26 PM > To: CF-Talk > Subject: RE: DB connection question > > Regarding ISP's - I suspect that access to DB's is regarded as a necessary > evil. In order to compete they will have to allow access. The margin is > decreased by some factor with every support call - so a high level of > convenience and fewer hurdles bring a higher return. More to the point, > while your ISP is concerned with keeping servers up - they are not > responsible for your data. Read your terms of use - it's full of cavaets > and > addendums that limit the ISP's responsibility.... > > In fact for many sites this makes perfect sense. Exposure is minimal > because > the amount of type of data they store is minmal. If you REALLY feel that > your data is SO important that it should have the highest level of > security > then you better get used to paying for it - and we better not see any more > posts regarding an "affordable" coldfusion hosts - by which they mean > below > costs :) Folks that quibble over savings of less than 200 or 300 dollars a > year have little room to be griping about security at their ISP (g). Read > the pre-nup before you say I do. > > I always think of security as one of those 80/20 things. If 100% security > takes $100, then in todays world you can get 80% security for $20 dollars. > The remaining 20% of the security hill costs the remain 80% of the money. > That means you can maintain a "reasonable" level of security (reasonable > for > many sites - though not all) for "reasonable" cost, but costs go up > exponentially to tighten security that last little bit. > > That's my take. I'll probably change my mind tomorrow after Dave > straightens > me out :) > > -Mark > > > > > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Wednesday, November 16, 2005 1:43 PM > To: CF-Talk > Subject: RE: DB connection question > > > > Well if all of this true, it /should/ be possible to have a secured DB > > access system by using all of these: > > 1. Non-standard access port > > That simply requires an attacker to find out what ports are being used, > which is usually not difficult. > > > 2. Non-standard user names > > 3. Enforced strong passwords that change periodically > > Those would both help, certainly, but by themselves would probably not be > sufficient. > > > 4. Secured tunnel access (SSH, SSL, etc.) > > That would secure access to the database to a sufficient degree for most > uses, as long as access can't be gained through brute-force attacks. > > > 5. Any other security practices I'm forgetting > > One of those "other security practices" is, don't allow direct access to > your database. > > > A few folks in this thread have mentioned 'big name' ISPs that allow > > remote DB administration, so it must not be considered a big security > > risk. Either that, or money talks! ;) > > I would go with "money talks", actually. > > There are a lot of reasons why they allow it, I'm sure. First of all, most > shared hosting customers are probably not that concerned with security. > Most > probably don't have sensitive data. Most would rather be able to connect > to > their database server. It's ok to value convenience over security, as long > as you're aware of the trade-off you're making. > > Second, the security concerns of you and your ISP may differ somewhat. > Your > ISP is probably more concerned that their servers will be rooted. You may > be > more concerned about the integrity of your data. Granting remote access to > your database may not be a security issue for your ISP, even if it is for > you - this would depend on how the database server itself is configured. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:224443 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
