Madhur Nanda wrote:
>
> Reverse proxy too is not a bad idea, if you also ensure proper
> authenitication like certificate based or one time password for
> the users accessing this facility
Authenticating the web server to the database server won't
help (much) here. Assume that the web server gets r00ted
(or 4dm1n1str4t0r3d, as the case might be here). This is the
concern we're trying to guard against.
If someone takes control over the web server, that someone will
see any and all authentication data that the web server uses
to authenticate to the database server. Game over.
Now, if you're talking authentication of users through a reverse
proxy before they get to the _web server_, that's another thing
altogether, and may indeed be a very good idea if the circumstances
allow.
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
