I am have a similar set up where a cold fusion server sits in the DMZ and the DB server sits on the trusted network. Currently though I have the trusted network wide open to the cold fusion server because I can't find any information on the ports to lock it down to. The connection is an ODBC connection to a foxpro database. Any suggestions?
Ian At 01:45 PM 1/25/2002 -0500, you wrote: >Actually, in most scenarios I've seen the DB server is behind the >trusted, and the web server is in the DMZ. This has three benefits: >1) There is no direct access to the DB server from the Internet, all >access is really through the webserver, which queries the DB server. >2) You only need to open the DB ports between the webserver and the DB >server. If the DB server was on the DMZ, and the web server was >compromised, there's the potential to jumping over to the DB server >easily. >3) Trusted users that need to access the DB server on the programming >level don't need to go through the firewall. > >M. Dante Mercurio, CCNA, MCSE+I, CCSA >Consulting Services Manager >Continental Consulting Group, LLC > >www.ccgsecurity.com <http://www.ccgsecurity.com> > >[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > > -----Original Message----- > > From: Aaron C. Newman (Application Security, Inc.) > > [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, January 24, 2002 1:31 PM > > To: Mario Behring; [EMAIL PROTECTED] > > Subject: RE: Vulnerability analysis tools > > > > > > Mario, > > > > >- Should I create a DMZ and put this DB server there ? > > > > Definitely you want your Oracle database behind a firewall. > > Even Oracle will tell you the database is not meant to be > > exposed to the internet directly. Lots of pretty simple DOS > > attacks if you aren't totally patched and even more serious > > attacks exist in the external procedure server, listener, and > > database instance. > > > > From the database perspective, you can download a free > > evaluation of AppDetective for Oracle from > > www.oraclesecurity.net. It does pen testing and va against an > > Oracle database. Takes both an inside-out (security from > > valid user perspective) and outside-in approach (security > > from unauthorized attacker perspective). > > > > Regards, > > Aaron > > ____________________________________________ > > Aaron C. Newman > > CTO/Founder > > Application Security, Inc. > > Tel: 212-490-6022 > > Fax: 212-490-6456 > > E-mail: [EMAIL PROTECTED] > > Web: http://www.appsecinc.com > > - Protection Where it Counts - > > > > > > -----Original Message----- > > From: Mario Behring [mailto:[EMAIL PROTECTED]] > > Sent: 22 January 2002 07:52 > > To: [EMAIL PROTECTED] > > Subject: Vulnerability analysis tools > > > > > > Hi list, > > > > Does anybody know some good tool for testing a small > > environment for vulnerabilities ? > > > > I have the following scenario: > > > > 1- A web server hosted at an IDC (Internet Data Center) > > 2- A router connected to the IDC via a link (T1 or something) > > 3- One Microsoft ISA Server running as a firewall with 2 > > NICs, one connected to the Router described on item 2 and the > > other connected to the internal network. > > 4- A Database server - Oracle running on Windows 2000 Server > > in the internal network. This DB will be accessed by Internet > > users that visit the website (located at the web server > > described in item 1) depending on the options they choose at > > the web page. > > > > > > I need to analyse the vulnerabilities in such a scenario and > > report them. Is there any tool (freeware or not) that analyse > > this scenario from various points of view ? For instance, I > > have to analyse this from the perspective of someone > > accessing the web page and then accessing the DB server at > > the internal network. > > > > I have some other questions: > > > > - Should I put a real firewall in place (Firewall-1 or Raptor > > for example) > > > > instead of this ISA Server ? > > - Should I create a DMZ and put this DB server there ? > > > > Thanks in advance. > > > > Mario > > > > > > __________________________________________________ > > Do You Yahoo!? > > Send FREE video emails in Yahoo! Mail! > > http://promo.yahoo.com/videomail/ > > > >
