On Fri, Jan 26, 2001 at 10:39:46AM -0600, Patrick Goetz wrote:
>
> Thanks for the response.
>
> On Thu, 25 Jan 2001, Jeremy D. Zawodny wrote:
> > > It just occurred to me, however, that this becomes a much bigger
> > > problem when the web server(s) and the database server are running
> > > on different machines.
> >
> > Only if they're on different networks. Ideally, you could put the web
> > server(s) and database server on different ports of a high-speed
> > switch.
>
> This must assume some kind of hardware firewall, then (i.e. inside
> the switch), else how would this provide any kind of security? All
> the switches I currently use essentially just act as repeaters, so
> anyone with a physical connection to the switch (i.e. the whole
> Internet, more or less) can grab the packets passing between the 2
> machines.
The difference between a hub in and a switch is that the hub will
allow any port to see the data transmitted by any other port. A
network switch will not do that. It's true circuit switching, just
like a telephone switch. Thus the name "switch".
> > Simply putting one of the servers behind a firewall does nothing to
> > stop a packet sniffer.
>
> This point I don't see at all. If your network is configured like
> this:
>
>
> {Web Server Pool}
> /
> /
> E1
> Internet ------- E2:Firewall
> E3
> \
> \
> Database Server
>
>
> you simply create firewall rules which prevent any packets from passing
> between interfaces E2 and E3 (i.e. any packets originating from E3 are
> only allowed to pass through E1 to the web server pool.
You misread (or misunderstood) what I wrote. I said "simply putting
ONE of the servers..." But your diagram shows ALL of the servers
behind a firewall. Of course that makes sense. But your original note
said " is this usually handled by simply putting the database server
behind a firewall?" That implied that the database server would be
behind the firewall but the web servers would not be.
> > What you really want is some sort of encrypted network
> > connection. I'd suggest using SSH to do it. I've run replication
> > across the country via an SSH tunnel before.
>
> So this must be some sort of TCP wrapper? Where could I find some
> good documentation on how to implement this?
SSH (Secure Shell) is a telnet/rsh replacement that provides
encryption and the ability to forward arbitrary TCP ports from one
machine to another over an encrypted connection.
To find info:
http://www.google.com/search?q=ssh
Jeremy
--
Jeremy D. Zawodny, <[EMAIL PROTECTED]>
Technical Yahoo - Yahoo Finance
Desk: (408) 328-7878 Fax: (408) 530-5454
Cell: (408) 439-9951
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
