yeah yeah... you still get what I'm saying - right?
-----Original Message----- From: Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 2:31 PM To: CF-Talk Subject: RE: DB connection question Just one thing wrong with your 80/20 definition. There is no such thing as 100% secure, not matter how much money you spend on it. What people need to decide is how much security is "good enough" for their data. -----Original Message----- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 3:26 PM To: CF-Talk Subject: RE: DB connection question Regarding ISP's - I suspect that access to DB's is regarded as a necessary evil. In order to compete they will have to allow access. The margin is decreased by some factor with every support call - so a high level of convenience and fewer hurdles bring a higher return. More to the point, while your ISP is concerned with keeping servers up - they are not responsible for your data. Read your terms of use - it's full of cavaets and addendums that limit the ISP's responsibility.... In fact for many sites this makes perfect sense. Exposure is minimal because the amount of type of data they store is minmal. If you REALLY feel that your data is SO important that it should have the highest level of security then you better get used to paying for it - and we better not see any more posts regarding an "affordable" coldfusion hosts - by which they mean below costs :) Folks that quibble over savings of less than 200 or 300 dollars a year have little room to be griping about security at their ISP (g). Read the pre-nup before you say I do. I always think of security as one of those 80/20 things. If 100% security takes $100, then in todays world you can get 80% security for $20 dollars. The remaining 20% of the security hill costs the remain 80% of the money. That means you can maintain a "reasonable" level of security (reasonable for many sites - though not all) for "reasonable" cost, but costs go up exponentially to tighten security that last little bit. That's my take. I'll probably change my mind tomorrow after Dave straightens me out :) -Mark -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 1:43 PM To: CF-Talk Subject: RE: DB connection question > Well if all of this true, it /should/ be possible to have a secured DB > access system by using all of these: > 1. Non-standard access port That simply requires an attacker to find out what ports are being used, which is usually not difficult. > 2. Non-standard user names > 3. Enforced strong passwords that change periodically Those would both help, certainly, but by themselves would probably not be sufficient. > 4. Secured tunnel access (SSH, SSL, etc.) That would secure access to the database to a sufficient degree for most uses, as long as access can't be gained through brute-force attacks. > 5. Any other security practices I'm forgetting One of those "other security practices" is, don't allow direct access to your database. > A few folks in this thread have mentioned 'big name' ISPs that allow > remote DB administration, so it must not be considered a big security > risk. Either that, or money talks! ;) I would go with "money talks", actually. There are a lot of reasons why they allow it, I'm sure. First of all, most shared hosting customers are probably not that concerned with security. Most probably don't have sensitive data. Most would rather be able to connect to their database server. It's ok to value convenience over security, as long as you're aware of the trade-off you're making. Second, the security concerns of you and your ISP may differ somewhat. Your ISP is probably more concerned that their servers will be rooted. You may be more concerned about the integrity of your data. Granting remote access to your database may not be a security issue for your ISP, even if it is for you - this would depend on how the database server itself is configured. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:224392 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
