[EMAIL PROTECTED] wrote:
> So you're saying the most secure way to set this up would be to put an
> application proxy on the DMZ and place the database server on the LAN?
An application proxy or something similar. For example if the mediating
process between the DBMS and the rest of the world is web-based, you
could put a proxy web server in the DMZ, and have that proxy pass
requests through to the LAN, where a real web server houses your static
data plus applications that then query the database. The amount of
processing within the DMZ itself is really minimal.
I'm sure there must be other approaches but I like that one for keeping
the DMZ itself as simple as possible.
> Let's say that the bad guy compromises the application proxy on the DMZ.
> Could the cracker
> not easily access the data on the database server because of the explicit
> trust between the proxy server and the database server?
Cardinal rule: Never configure anything in the secure net (your LAN) to
trust anything in the insecure net (your DMZ).
The DBMS does not trust the DMZ box at all, and in fact it never
processes any communications directly from the DMZ box. It doesn't even
necessarily trust the LAN-side web server. The LAN-side web server
doesn't trust the DMZ box either, except to the extent that it allows
HTTP(S) requests to come in from that host and no others. Whether or
not it actually serves those requests will depend on their contents,
which are provided by the far-end client (legitimate or cracker), not by
the DMZ server.
Maybe a use case will help.
Client (legit or not, we don't know yet) sends an HTTP request -- say,
an authentication token of some sort (certificates are nice, or maybe
just a username/password pair) plus the contents of a form asking for
inventory information.
HTTP request arrives at the proxy box. Proxy box parses the request and
determines that it is actually HTTP.
Proxy then sends an analogous request (the same payload, but rewritten
with a different destination address) on to the LAN-side web server.
[interlude: between the proxy and the LAN is a packet filter with a rule
to allow ports 80 and 443 in to the LAN-side web server only if the
packets originate at the proxy; this request fits that requirement, so
we pass it on in to the LAN. similar rules could also be installed on
the LAN-side web server itself. defense in depth is a good thing.]
HTTP request arrives at the LAN-side web server.
The form contents are parsed and passed along to applications running on
the web server which do the following things:
-> examine the authentication credentials; if they flunk, stop right
here, probably issue an error message to the client. if they pass, move
on to:
-> parse the actual request for data. If it's a well-formed request,
send it on to the DBMS. If not, issue an error message and stop.
[interlude: up to this point, the request for data does not have to bear
_any_ resemblance to an SQL query; it doesn't have to reflect any
knowledge of the data store at all; so far, it's just been answers to
questions as presented on a web form (or something) which can then be
processed by applications on the web server and turned into SQL.]
The DBMS receives the request from the LAN-side web server; looks up the
information; and returns the result of the query to the LAN-side web server.
The LAN-side web server formats the data from the DBMS into HTML, and
squirts that back out to the proxy in the DMZ.
The proxy receives the HTML, re-addresses it but performs no other
processing, and sends it along to the client.
--end walkthrough--
Note that at no time do we let any box outside the LAN talk to the DBMS.
We only let the DMZ proxy talk to the web server, and then only under
controlled conditions. We only let the web server talk to the DBMS.
Does that help?
-m
--
~~~Michael Jinks, IB // Technical Entity // Saecos Corporation~~~~
"mobility is overrated. consider the noble cactus!"
-- Rev. Blair Christensen
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
