Hi Michael,
> Does it have to be accessible directly, or is there some sort of glue
> process which (already|potentially) acts as a go-between?
Yes, we could put something in between.
> A lot of sites use server-side processing attached to a web server to
mediate
> access to a database, for several reasons including added
> security. If that doesn't make sense in your case, maybe some other sort
of
> intervening process could act as a proxy to the database?
So you're saying the most secure way to set this up would be to put an
application proxy on the DMZ and place the database server on the LAN?
> If an intruder compromises a DMZ machine in that case, all
> they get is access to your gateway processes -- firewalling rules,
> proxy server configuration information -- not to your repositories.
> That's still bad if you don't know they're there, they can still
> eavesdrop you for example, but you get a chance to notice them
> and punt them out or take other action.
Let's say that the bad guy compromises the application proxy on the DMZ.
Could the cracker
not easily access the data on the database server because of the explicit
trust between the proxy server and the database server?
***
Shawn
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
