Thanks for your input on all points. Let me explain my suggested setup first and then tell me if it still seems absurd. Point 1: We have an isolated network performing critical functionality. This network has absolutely no connectivity to the outside world/internet Point 2: Data from this network would be replicated to a MySQL server connected to a SAN Point 3: The TCP/IP connection between the production machine and the MySQL server would be protected via a firewall/access control Point 4: This SAN would ONLY be responsible for holding the replicated/non-production data. The OS for the MySQL server would reside on local hard-drive Point 5: An external MySQL server having it's own local OS hard-drive, but sharing the database stored on the SAN drive Point 6: Firewalls/Access Control would be used to grant/deny access to the External MySQL server, thereby adding an additional layer of security at the network level. Point 7: Essentially, A DMZ has been created encapsulating the two MySQL servers and the SAN they would both access. I was not very clear when I originally submitted this issure to the group. Thanks,
Matthew Harris Systems Engineer Peoples Energy - Gas Control (312) 240-4752 [EMAIL PROTECTED] -----Original Message----- From: root [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 21, 2004 12:37 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; Harris, Matt Subject: Re: Shared Physical Database Question I have to comment on this one....... You don't know me so feel free to discard :) I am not sure your management folks have any idea of what they are requesting... They request that you have no TCP/IP access but it seems like direct FIBER CHANNEL is ok? I can't think of a worse security problem than direct block access to a file system. On a compromised server that is like giving the cracker a free ride. I am sure that their concern is security and that is understandable, but having a computer on the outside of your TCP/IP network that is directly connected to your SAN is no more secure. Your SAN is most likely a separate network (Unless you are using ISCSI) but it is still a network. A cracked server then has direct access to your SAN file system... Not so good. As far as solving your problem goes... I can't think of a single way to automatically update the exterior server without some type of network, either access to the SAN or the IP network. I guess you could manually copy the MySQL data (mysqldump) to a CD and then manually copy them to the exterior server. You might point out the labor overhead involved with that scenario to your management people. Time to take the design spec tools away from your managers :) Jason McKnight Mgr. Information Services The InSite Group,LLC [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> wrote: The one major design spec, my management has requested, is lack of TCP/IP connectivity between the two servers using the data. One network is completely isolated from the outside world/internet, however we are trying to find a secure way to allow outside users to query historical data that currently resides on the isolated network. Thanks, Matthew Harris Systems Engineer Peoples Energy - Gas Control (312) 240-4752 [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> -----Original Message----- From: Dan Nelson [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] Sent: Wednesday, January 21, 2004 11:48 AM To: Harris, Matt Cc: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Subject: Re: Shared Physical Database Question In the last episode (Jan 19), [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> said: Could someone please tell me if tyhe following is possible or if a solution accomplishing the same thing is available? I would like to build a database using two MySQL servers accessing the same physical file on a common Drive attached to each computer via a SAN. Can this be done or is there data integrity issues and database file locking issues?. Our main goal is to provide the data gathered on a secure network and allow it to be seen on an insecure network. I do understand that this can be accomplished using firewalls and other networking tools, but our management has been very firm in their insistence that a user has no direct network access to our internal/secure LAN. You might want to check out replication, so that you can push a read-only copy of the tables to a mysqld running on the web server. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
