-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 03 February 2003 10:26, you wrote:
> >>> of course, anyone who puts a database server on a public network
> >>> accepting random connections hither and yon is just asking for trouble.
> >>> there's really no reason for that sort of set up.
>
> Care to elaborate?
sure =)
there are very few reasons to have a RDBMs accessable to the 'Net at large,
and almost none of them[1] require the ability for random connections.
databases in and of themselves are of limited use. almost always they are a
data store for other applications and for applications requiring greater
trust (e.g. direct connections) one almost always knows the source of the
connections.
if the DB is serving as a data store for a publicly accessable service (e.g. a
web server) then make sure the DB isn't visible from the public 'Net by:
o if the DB is on the same system as the public service, then have it listen
only on local UNIX sockets and/or firewall it from ALL external connections
o firewall it off from all systems except those running the public service
o build an authenticated encrypted tunnel between the public service and the
database (e.g. a VPN or SSL/TLS authentication)
o at the very least only allow connections to be made from known networks /
hosts
if the DB is a master or slave used in replication, then the the last three
items also apply.
if you have an application that requires direct connections to the DB server
and you don't know where they are coming from (e.g. a roaming sales force
that has an app with direct db connectivity) then require authenticated
connections using strong crypto between the clients and server.
there just simply is no reason to have a DB server sitting on the net that one
can attempt a connection with without first requiring building an
authenticated strong-crypto tunnel.
by denying access right at the gate you can limit your exposure to
vulnerabilities greatly.
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+P1cz1rcusafx20MRArpfAKCDIV47ji8HmAbfudgnR+G+Yh968ACeOL+p
PqugB3vc3irhUvzZuKOVSXo=
=6s4z
-----END PGP SIGNATURE-----
