Actually, in most scenarios I've seen the DB server is behind the trusted, and the web server is in the DMZ. This has three benefits: 1) There is no direct access to the DB server from the Internet, all access is really through the webserver, which queries the DB server. 2) You only need to open the DB ports between the webserver and the DB server. If the DB server was on the DMZ, and the web server was compromised, there's the potential to jumping over to the DB server easily. 3) Trusted users that need to access the DB server on the programming level don't need to go through the firewall.
M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com <http://www.ccgsecurity.com> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > -----Original Message----- > From: Aaron C. Newman (Application Security, Inc.) > [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 24, 2002 1:31 PM > To: Mario Behring; [EMAIL PROTECTED] > Subject: RE: Vulnerability analysis tools > > > Mario, > > >- Should I create a DMZ and put this DB server there ? > > Definitely you want your Oracle database behind a firewall. > Even Oracle will tell you the database is not meant to be > exposed to the internet directly. Lots of pretty simple DOS > attacks if you aren't totally patched and even more serious > attacks exist in the external procedure server, listener, and > database instance. > > From the database perspective, you can download a free > evaluation of AppDetective for Oracle from > www.oraclesecurity.net. It does pen testing and va against an > Oracle database. Takes both an inside-out (security from > valid user perspective) and outside-in approach (security > from unauthorized attacker perspective). > > Regards, > Aaron > ____________________________________________ > Aaron C. Newman > CTO/Founder > Application Security, Inc. > Tel: 212-490-6022 > Fax: 212-490-6456 > E-mail: [EMAIL PROTECTED] > Web: http://www.appsecinc.com > - Protection Where it Counts - > > > -----Original Message----- > From: Mario Behring [mailto:[EMAIL PROTECTED]] > Sent: 22 January 2002 07:52 > To: [EMAIL PROTECTED] > Subject: Vulnerability analysis tools > > > Hi list, > > Does anybody know some good tool for testing a small > environment for vulnerabilities ? > > I have the following scenario: > > 1- A web server hosted at an IDC (Internet Data Center) > 2- A router connected to the IDC via a link (T1 or something) > 3- One Microsoft ISA Server running as a firewall with 2 > NICs, one connected to the Router described on item 2 and the > other connected to the internal network. > 4- A Database server - Oracle running on Windows 2000 Server > in the internal network. This DB will be accessed by Internet > users that visit the website (located at the web server > described in item 1) depending on the options they choose at > the web page. > > > I need to analyse the vulnerabilities in such a scenario and > report them. Is there any tool (freeware or not) that analyse > this scenario from various points of view ? For instance, I > have to analyse this from the perspective of someone > accessing the web page and then accessing the DB server at > the internal network. > > I have some other questions: > > - Should I put a real firewall in place (Firewall-1 or Raptor > for example) > > instead of this ISA Server ? > - Should I create a DMZ and put this DB server there ? > > Thanks in advance. > > Mario > > > __________________________________________________ > Do You Yahoo!? > Send FREE video emails in Yahoo! Mail! > http://promo.yahoo.com/videomail/ > >
