Firewalls/networks aren't my forte either, but I would have thought that not sacrificing your CFMX box was half the battle won. As it is, your CF box has almost full access to your database server and any other system its connected to. If it gets compromised, then your attacker has the entire processing power of your cf server, without any traffic limitations of an internet connection, able to be brought to bear on your firewall till it finds a hole or weakness, with most of that effort being directed at your db server and authentication system. I was always under the impression that this was a situation to be avoided at all costs. I would have thought that your server would be reasonable safe if the only connection it had to the world was via port 80 http requests. I know there are still issues with this, but its a much shorter and more manageable list of risks than offering up the whole server as a sacrificial lamb.
That's my opinion, for what its worth. I'm just curious, because what's been talked about has been a different approach to what I would have done, and I'm keen to know if there are any extra benefits in doing it that way. Regards Darren Tracey Systems Analyst Web Applications, Web and Integration Services p: + 61 7 3232 4091 (x64091) f: + 61 7 3232 4744 e: [EMAIL PROTECTED] l: Lvl 9, 388 Queen St Brisbane QLD 4000 m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000 > -----Original Message----- > From: Scott Barnes [SMTP:[EMAIL PROTECTED] > Sent: Monday, 5 July 2004 10:03 > To: CFAussie Mailing List > Subject: [cfaussie] Re: [OT] DMZ > > I think, and firewalls/networks aren't my forte, but i think the reason > for a CF box inside the DMZ is that if the actual CFMX box is > comprimised via Code(which would open up lots of possibilities), it > won't let you inside the actual network but simply let you play around > in the DMZ containment area only. > > I think thats the way TQ did it in that our Boxes couldn't penetrate our > internal network and had limited ports outbound opened? > > Mind you, i have no idea on this stuff, so i'll pipe down now. > > Scott > > > > TRACEY, Darren wrote: > > > Is there any amazingly compelling reason why you _must_ have your CF box > > actually _in_ the DMZ, and then have to poke all these holes through > your > > firewall? > > Wouldn't it be better/safer/easier to put your CF box fully behind your > > firewall and just open http port 80 traffic up to it from the big bad > > internet? > > This way you only have one hole in your firewall and only that one point > of > > weakness and you don't expose the entire webserver to every attack the > > internet wants to throw at it. > > > > Am I missing something? > > > > Regards > > > > Darren Tracey > > Systems Analyst > > Web Applications, Web and Integration Services > > p: + 61 7 3232 4091 (x64091) > > f: + 61 7 3232 4744 > > e: [EMAIL PROTECTED] > > l: Lvl 9, 388 Queen St Brisbane QLD 4000 > > m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000 > > > > > >>-----Original Message----- > >>From: James Macpherson [SMTP:[EMAIL PROTECTED] > >>Sent: Friday, 2 July 2004 18:07 > >>To: CFAussie Mailing List > >>Subject: [cfaussie] RE: [OT] DMZ > >> > >>I would certainly hope not - I could be wrong... > >> > >>The first thing I'd try is maybe install the client tools on the > webserver > >>and see if you can get to your sql server with enterprise manager or > query > >>analyser from the webserver, any error message these give might be more > >>useful (it might be something to do with the "named pipes" or SMB > >>mentioned in the article etc. rather than the firewall per se)... then > >>start looking at the firewall logs as Ryan suggested. > >> > >>Another hint may be to run 'netstat -na' on the database server to see > >>what ports it's listening on - though I'd hope you wouldn't have to > resort > >>to forwarding these 1 by 1 to find out which one makes it tick then turn > >>them off one by one - that's just a last resort that springs to mind. > >> > >>Good luck, sounds very interesting! > >> > >>- James > >> > >> -----Original Message----- > >> From: George Lu [mailto:[EMAIL PROTECTED] > >> Sent: Friday, 2 July 2004 5:42 PM > >> To: CFAussie Mailing List > >> Subject: [cfaussie] RE: [OT] DMZ > >> > >> > >> Thanks James and for pointing me to the link. It's quite useful. We > >>are using 'sa' account and port 1433 but this just for the testing. > Their > >>cases are for ASP.NET. Does it apply to ColdFusion server as well? Would > >>CF use other secret ports for db connection? > >> > >> George > >> > >> >>> [EMAIL PROTECTED] 2/07/04 17:15:05 >>> > >> > >> George, > >> > >> I believe you just need 1433 and that's it however you have to be > >>sure that on your coldfusion server you're using the PUBLIC IP of the > >>firewall and that this port is forwarded. Also if you're using Windows > >>authentication this uses other ports (RPC???) that you don't want to be > >>opening up at all... > >> > >> Oh and whilst I'm going paranoia mode; make sure your firewall only > >>forwards 1433 from the webserver not ANYTHING to port 1433 - remember > some > >>of those fun worms that got around - and no default 'sa' passwords > >>either!!! (I'm sure you weren't thinking of doing that but > nonetheless...) > >> > >> I found this link > >><http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=35718> which sounds a > >>lot like what you're trying to do which mentions named pipes etc. which > >>may affect your specific setup. > >> > >> Regards, > >> > >> James > >> > >> -----Original Message----- > >> From: George Lu [mailto:[EMAIL PROTECTED] > >> Sent: Friday, 2 July 2004 4:43 PM > >> To: CFAussie Mailing List > >> Subject: [cfaussie] RE: [OT] DMZ > >> > >> > >> > >> Thanks. That's what we are doing now. What I want to know is > >>what ports need to be open. > >> > >> George > >> > >> >>> [EMAIL PROTECTED] 2/07/04 16:37:13 >>> > >> > >> Hi George, > >> > >> I'm tempted to guess that your DMZ has public IPs, whilst > >>your LAN has got private ones, in which case you will need to forward > the > >>database ports of your LAN gateway to the private IP database server? > >>This kind of set up could be quite complicated, especially if you've > never > >>messed with firewalls and such before. > >> > >> Regards, > >> > >> J > >> > >> -----Original Message----- > >> From: George Lu [mailto:[EMAIL PROTECTED] > >> Sent: Friday, 2 July 2004 4:07 PM > >> To: CFAussie Mailing List > >> Subject: [cfaussie] [OT] DMZ > >> > >> > >> Hi All, > >> > >> We're going to set up an extranet environment. One > >>option is to place our ColdFusion server under DMZ (DeMilitarize Zone) > and > >>the database server on the LAN. We try to test the connection between > the > >>CF server and the db server without open UDP and most of TCP/IP ports. > >>However, the connection always fail no matter how many tcp/ip ports > open. > >>I've tried to put 1839 or 1433 in the Data Source setting. Does anyone > >>have similar situation? Could someone give me an idea what's happening? > >> > >> > >> > >> > >> > >> > >> > >> Here was the error message when I tried to verified > >>the data source: > >> > >> Connection verification failed for data source: > >>Intranet > >> []java.sql.SQLException: [Macromedia][SQLServer JDBC > >>Driver]The requested instance is either invalid or not running. > >> The root cause was that: java.sql.SQLException: > >>[Macromedia][SQLServer JDBC Driver]The requested instance is either > >>invalid or not running. > >> > >> > >> > >> Thank you in advanced. > >> > >> George > >> > >> George Lu > >> Web Developer/Engineer > >> Information Systems and Technology > >> Adult Multicultural Education Services > >> 4/255 William Street > >> Melbourne, Vic 3000 > >> ------------------------------------------ > >> Direct: 03 9926 4706 > >> Fax: 03 9926 4695 > >> Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > >> Web: www.ames.net.au <http://www.ames.net.au> > >> ------------------------------------------ > >> > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >> AMES (Adult Multicultural Education Services) > >> www.ames.net.au > >> > >> > >> Disclaimer > >> > >>********************************************************************** > >> This email and any attachments may be confidential. > >> If received in error, please contact us and delete > >>all copies. > >> Before opening or using attachments you should check > >>them for viruses > >> or defects. > >> Regardless of any loss, damage or consequence, > >>whether caused by the > >> negligence of the sender or not, resulting directly > >>or indirectly from > >> the use of any attached files our liability is > >>limited to resupplying > >> any affected attachments. > >> Any representations or opinions expressed are those > >>of the individual > >> sender, and not necessarily those of Adult > >>Multicultural Education > >> Services (AMES). > >> > >> > >>********************************************************************** > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >> --- > >> You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >> AMES (Adult Multicultural Education Services) > >> www.ames.net.au > >> > >> > >> Disclaimer > >> > >>********************************************************************** > >> This email and any attachments may be confidential. > >> If received in error, please contact us and delete all > >>copies. > >> Before opening or using attachments you should check them > >>for viruses > >> or defects. > >> Regardless of any loss, damage or consequence, whether > >>caused by the > >> negligence of the sender or not, resulting directly or > >>indirectly from > >> the use of any attached files our liability is limited to > >>resupplying > >> any affected attachments. > >> Any representations or opinions expressed are those of the > >>individual > >> sender, and not necessarily those of Adult Multicultural > >>Education > >> Services (AMES). > >> > >> > >>********************************************************************** > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >> --- > >> You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >> AMES (Adult Multicultural Education Services) > >> www.ames.net.au > >> > >> > >> Disclaimer > >> > >>********************************************************************** > >> This email and any attachments may be confidential. > >> If received in error, please contact us and delete all copies. > >> Before opening or using attachments you should check them for > >>viruses > >> or defects. > >> Regardless of any loss, damage or consequence, whether caused by the > >> > >> negligence of the sender or not, resulting directly or indirectly > >>from > >> the use of any attached files our liability is limited to > >>resupplying > >> any affected attachments. > >> Any representations or opinions expressed are those of the > >>individual > >> sender, and not necessarily those of Adult Multicultural Education > >> Services (AMES). > >> > >> > >>********************************************************************** > >> --- > >> You are currently subscribed to cfaussie as: > >>[EMAIL PROTECTED] > >> To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > >> > >>--- > >>You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > >>To unsubscribe send a blank email to > >>[EMAIL PROTECTED] Aussie Macromedia Developers: > >>http://lists.daemon.com.au/ > > > > > > > > > -------------------------------------------------------------------------- > --------- > > This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one > of its related entities ("Suncorp"). > > > > Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on > 1800 689 762 or at suncorp.com.au. > > > > The content of this e-mail is the view of the sender or stated author > and does not necessarily reflect the view of Suncorp. The content, > including attachments, is a confidential communication between Suncorp and > the intended recipient. If you are not the intended recipient, any use, > interference with, disclosure or copying of this e-mail, including > attachments, is unauthorised and expressly prohibited. If you have > received this e-mail in error please contact the sender immediately and > delete the e-mail and any attachments from your system. > > > > If this e-mail constitutes a commercial message of a type that you no > longer wish to receive please reply to this e-mail by typing Unsubscribe > in the subject line. > > > > > > > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Aussie Macromedia Developers: http://lists.daemon.com.au/ --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
