[cfaussie] Re: [OT] DMZ

Scott Barnes Sun, 04 Jul 2004 17:05:19 -0700

I think, and firewalls/networks aren't my forte, but i think the reason for a CF box inside the DMZ is that if the actual CFMX box is comprimised via Code(which would open up lots of possibilities), it won't let you inside the actual network but simply let you play around in the DMZ containment area only.

I think thats the way TQ did it in that our Boxes couldn't penetrate our internal network and had limited ports outbound opened?

Mind you, i have no idea on this stuff, so i'll pipe down now.

Scott

TRACEY, Darren wrote:

Is there any amazingly compelling reason why you _must_ have your CF box
actually _in_ the DMZ, and then have to poke all these holes through your
firewall?
Wouldn't it be better/safer/easier to put your CF box fully behind your
firewall and just open http port 80 traffic up to it from the big bad
internet?
This way you only have one hole in your firewall and only that one point of
weakness and you don't expose the entire webserver to every attack the
internet wants to throw at it.
Am I missing something?
Regards
Darren Tracey
Systems Analyst
Web Applications, Web and Integration Services
p: + 61 7 3232 4091 (x64091)
f: + 61 7 3232 4744
e: [EMAIL PROTECTED]
l: Lvl 9, 388 Queen St Brisbane QLD 4000
m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000
-----Original Message-----
From:   James Macpherson [SMTP:[EMAIL PROTECTED]
Sent:   Friday, 2 July 2004 18:07
To:     CFAussie Mailing List
Subject:        [cfaussie] RE: [OT] DMZ
I would certainly hope not - I could be wrong...
The first thing I'd try is maybe install the client tools on the webserver
and see if you can get to your sql server with enterprise manager or query
analyser from the webserver, any error message these give might be more
useful (it might be something to do with the "named pipes" or SMB
mentioned in the article etc. rather than the firewall per se)... then
start looking at the firewall logs as Ryan suggested.
Another hint may be to run 'netstat -na' on the database server to see
what ports it's listening on - though I'd hope you wouldn't have to resort
to forwarding these 1 by 1 to find out which one makes it tick then turn
them off one by one - that's just a last resort that springs to mind.
Good luck, sounds very interesting!
- James
-----Original Message----- From: George Lu [mailto:[EMAIL PROTECTED] Sent: Friday, 2 July 2004 5:42 PM To: CFAussie Mailing List Subject: [cfaussie] RE: [OT] DMZ Thanks James and for pointing me to the link. It's quite useful. We are using 'sa' account and port 1433 but this just for the testing. Their cases are for ASP.NET. Does it apply to ColdFusion server as well? Would CF use other secret ports for db connection? George >>> [EMAIL PROTECTED] 2/07/04 17:15:05 >>> George, I believe you just need 1433 and that's it however you have to be sure that on your coldfusion server you're using the PUBLIC IP of the firewall and that this port is forwarded. Also if you're using Windows authentication this uses other ports (RPC???) that you don't want to be opening up at all... Oh and whilst I'm going paranoia mode; make sure your firewall only forwards 1433 from the webserver not ANYTHING to port 1433 - remember some of those fun worms that got around - and no default 'sa' passwords either!!! (I'm sure you weren't thinking of doing that but nonetheless...) I found this link <http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=35718> which sounds a lot like what you're trying to do which mentions named pipes etc. which may affect your specific setup. Regards, James -----Original Message----- From: George Lu [mailto:[EMAIL PROTECTED] Sent: Friday, 2 July 2004 4:43 PM To: CFAussie Mailing List Subject: [cfaussie] RE: [OT] DMZ

Thanks. That's what we are doing now. What I want to know is what ports need to be open. George >>> [EMAIL PROTECTED] 2/07/04 16:37:13 >>> Hi George, I'm tempted to guess that your DMZ has public IPs, whilst your LAN has got private ones, in which case you will need to forward the database ports of your LAN gateway to the private IP database server? This kind of set up could be quite complicated, especially if you've never messed with firewalls and such before. Regards, J

-----Original Message----- From: George Lu [mailto:[EMAIL PROTECTED] Sent: Friday, 2 July 2004 4:07 PM To: CFAussie Mailing List Subject: [cfaussie] [OT] DMZ Hi All, We're going to set up an extranet environment. One option is to place our ColdFusion server under DMZ (DeMilitarize Zone) and the database server on the LAN. We try to test the connection between the CF server and the db server without open UDP and most of TCP/IP ports. However, the connection always fail no matter how many tcp/ip ports open. I've tried to put 1839 or 1433 in the Data Source setting. Does anyone have similar situation? Could someone give me an idea what's happening?
                        Here was the error message when I tried to verified
the data source:
                        Connection verification failed for data source:
Intranet
                        []java.sql.SQLException: [Macromedia][SQLServer JDBC
Driver]The requested instance is either invalid or not running.
                        The root cause was that: java.sql.SQLException:
[Macromedia][SQLServer JDBC Driver]The requested instance is either
invalid or not running.
                        Thank you in advanced.
                        George
                        George Lu
                        Web Developer/Engineer
                        Information Systems and Technology
                        Adult Multicultural Education Services
                        4/255 William Street
                        Melbourne, Vic 3000
                        ------------------------------------------
                        Direct: 03 9926 4706
                        Fax: 03 9926 4695
                        Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
                        Web: www.ames.net.au <http://www.ames.net.au>
                        ------------------------------------------
--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ AMES (Adult Multicultural Education Services) www.ames.net.au Disclaimer ********************************************************************** This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments you should check them for viruses or defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of Adult Multicultural Education Services (AMES). ********************************************************************** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/

--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ AMES (Adult Multicultural Education Services) www.ames.net.au Disclaimer ********************************************************************** This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments you should check them for viruses or defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of Adult Multicultural Education Services (AMES). ********************************************************************** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/

--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ AMES (Adult Multicultural Education Services) www.ames.net.au Disclaimer ********************************************************************** This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments you should check them for viruses or defects. Regardless of any loss, damage or consequence, whether caused by the

negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of Adult Multicultural Education Services (AMES). ********************************************************************** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/

--- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
----------------------------------------------------------------------------------- This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities ("Suncorp").
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 1800 689 762 
or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not 
necessarily reflect the view of Suncorp. The content, including attachments, is a 
confidential communication between Suncorp and the intended recipient. If you are not 
the intended recipient, any use, interference with, disclosure or copying of this 
e-mail, including attachments, is unauthorised and expressly prohibited. If you have 
received this e-mail in error please contact the sender immediately and delete the 
e-mail and any attachments from your system.
If this e-mail constitutes a commercial message of a type that you no longer wish to 
receive please reply to this e-mail by typing Unsubscribe in the subject line.


---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Aussie Macromedia Developers: http://lists.daemon.com.au/

[cfaussie] Re: [OT] DMZ

Reply via email to