-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 22 Jan 2002, Mário Behring wrote:
> Does anybody know some good tool for testing a small environment for > vulnerabilities ? nessus, nmap, tcpdump, iptraf, hunt, dsniff, so on. you can find all of these by google. > 1- A web server hosted at an IDC (Internet Data Center) what web sw software? if you are not the want to run this host then it is untrusted for you. > 2- A router connected to the IDC via a link (T1 or something) who runs it? you or the IDC? > 3- One Microsoft ISA Server running as a firewall with 2 NICs, one > connected to the Router described on item 2 and the other connected to the > internal network. No comment. > 4- A Database server - Oracle running on Windows 2000 Server in the > internal network. This DB will be accessed by Internet users that visit > the website (located at the web server described in item 1) depending on > the options they choose at the web page. well, is it used for other purposes too? put it in dmz. > - Should I put a real firewall in place (Firewall-1 or Raptor for example) well, because none of these have real oracle sql proxy, I don't recommend to use them. You may try gauntlet which has a real sgl-gw. or if you want a tcp-plug or just stateful packet filter, then use linux 2.4.17 or later instead. it's for free. > - Should I create a DMZ and put this DB server there ? yes. it's not a question. I suggest you move from w2k to some unix or linux for the oracle server too. - ------------------------- Narancs v1 IT Security Administrator Warning: This is a really short .sig! Vigyazat: ez egy nagyon rovid szig! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxPu54ACgkQGp+ylEhMCIV3SwCggiKkjjM3Efbq0ux5VVBxZDWe F4QAniP7Pv2Mhb1JWU1rWrYas0LiZuXj =XZiT -----END PGP SIGNATURE-----