Ben Nagy wrote:
>
> Hiya Mike,
Hi Ben, long time no see! :)
(I've still got those "Shortcomings of plug-and-play NAT devices"
mails from two years ago sitting in my inbox if you care to open
up that old can of worms again -- the 10KB message limit is gone,
and I have lots of nice fresh ammo to use; does UPnP NAT
traversal ring a bell? :))
> Mikael Olsson wrote:
> > [replicate parts of internal DB to separate DB in DMZ]
> IMO, the biggest risk with database-backed web thingies is a
> compromise of the database server, resulting in the entire
> database becoming available to an attacker.
Yes.
> I'm assuming that _any_ database would need to
> hold sensitive data, like credit card numbers, to be useable, so even
> the bare-minimum replicated database would still be sensitive.
True. I was sort of assuming that one could limit the info in
the replicated DB to info that was less sensitive. I shouldn't
do that; at least not without saying it. Bad Mike, no cookie.
> I do appreciate your concern, which is obviously that live
> queries against the core production database is a Bad Thing,
> so how about an _internally_ replicated system with a well
> secured database containing the bare minimums
> [... but internal has risks]
> One could reduce _that_ risk by placing the replicated server
> in a separate security zone altogether.
That's what I usually recommend when I'm a little more involved
in network design than a quick note on a mailing list. Isolate
the replicated DB completely from the internal network and the
web server. Only allow replication sessions initiated from the
internal DB, and queries from the web server. This also helps
protect against other attacks against the DB box itself.
(Because, of course, all DBAs absolutely _need_ to use the
newfangled spiffy X admin stuff, so there we go :))
A potential attacker leaping from web server to DB server
to DB server (if the "proxy" DB server is allowed to do
inbound queries) isn't really all that far fetched.
Even assuming that oracle DBs only have half the holes that MS SQL
servers do, you'd still have a pretty hairy situation IMHO.
> I'm with you - the only fine-grained Oracle proxy is a well
> configured Oracle database.
I was sort of afraid of that, yes.
> (Looking for work in Geneva)
Geneva? I thought you were from down under?
/Mikael
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
