I like Mr. Olsson would perhaps prefer a strong secure reverse proxy in
this situation. But, what is the best reverse proxy for the problem? I'm
open to recommendations. It's always good to get input and disscussion in
this area. What makes me leary is the current flow of SQL/oracle issues
cropping up and if the present crop of proxies would be up to the task.
Thanks,
Ron DuFresne
On Mon, 29 Apr 2002, Madhur Nanda wrote:
> Reverse proxy too is not a bad idea, if you also ensure proper authenitication like
>certificate based or one time password for the users accessing this facility
>
> rgds
> Madhur
>
>
>
> -----Original Message-----
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 28, 2002 2:18 AM
> To: Mikael Olsson
> Cc: Rick Brown; [EMAIL PROTECTED]
> Subject: Re: Extranet design
>
>
> On Sat, 27 Apr 2002, Mikael Olsson wrote:
>
> >
> >
> > Rick Brown wrote:
> > >
> > > [ extranet - how? ]
> > > The web app needs to access to an internal
> > > Oracle database. I'm wondering what's the best way to
> > > set this up? My first thought was to replicate the
> > > database to the DMZ.
> >
> > If this is doable, it is indeed a very good design choice.
> > Replicating the bare minimum to the separate zone, and
> > replicating as little as possible back to the inside
> > (preferably nothing, if possible?) is just about as good
> > as it gets. If oracle can be set up so that the internal
> > DB initiates all of the replicating sessions (sorry, me no
> > oracle guru), it would be _much_ preferable to allowing
> > the extranet DB server initiating sessions to the inside.
>
> The stress here would be on *Replicating the bare minimum*,
> One has to remember, if these external machines are compromised, and too
> much is replicated outside to them, then vital information might be leaked
> and made public.
>
>
> >
> > > Another thought was reverse proxy but I've never done that
> > > and I'm wondering how secure that is.
> >
> > You'd have to have a very well-written proxy [1] with very
> > fine-grained access control in order for it to improve
> > security even measurably. I have no idea if such a beast
> > exists (oracle not being my strong side and all).
> >
> >
> > [1] To head off less-useful advice: please, no "product X can
> > pass oracle, and since I bought one, it has to be very
> > secure/good/trustworthy" follow-ups. Any dumb box can PASS
> > oracle connections. I'm talking about actually securing it.
> >
>
> That can be tuned to only pass the requests that you wish passing info
> from the inside out, I'm pretty sure you would not want *all* requests
> passed and *all* data available to the outside.
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> For Account Management (unsubscribe, get/change password, etc) Please go to:
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
