Reverse proxy too is not a bad idea, if you also ensure proper authenitication like certificate based or one time password for the users accessing this facility
rgds Madhur -----Original Message----- From: Ron DuFresne [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 28, 2002 2:18 AM To: Mikael Olsson Cc: Rick Brown; [EMAIL PROTECTED] Subject: Re: Extranet design On Sat, 27 Apr 2002, Mikael Olsson wrote: > > > Rick Brown wrote: > > > > [ extranet - how? ] > > The web app needs to access to an internal > > Oracle database. I'm wondering what's the best way to > > set this up? My first thought was to replicate the > > database to the DMZ. > > If this is doable, it is indeed a very good design choice. > Replicating the bare minimum to the separate zone, and > replicating as little as possible back to the inside > (preferably nothing, if possible?) is just about as good > as it gets. If oracle can be set up so that the internal > DB initiates all of the replicating sessions (sorry, me no > oracle guru), it would be _much_ preferable to allowing > the extranet DB server initiating sessions to the inside. The stress here would be on *Replicating the bare minimum*, One has to remember, if these external machines are compromised, and too much is replicated outside to them, then vital information might be leaked and made public. > > > Another thought was reverse proxy but I've never done that > > and I'm wondering how secure that is. > > You'd have to have a very well-written proxy [1] with very > fine-grained access control in order for it to improve > security even measurably. I have no idea if such a beast > exists (oracle not being my strong side and all). > > > [1] To head off less-useful advice: please, no "product X can > pass oracle, and since I bought one, it has to be very > secure/good/trustworthy" follow-ups. Any dumb box can PASS > oracle connections. I'm talking about actually securing it. > That can be tuned to only pass the requests that you wish passing info from the inside out, I'm pretty sure you would not want *all* requests passed and *all* data available to the outside. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
