$.02 interjection: using IPsec between boxes is for communications security, it has nothing to do with host security, for which an entirely different set tools are available. The main point here being: to sniff traffic between the two, you have to be able to crack IPsec. (good luck!)
On Mon, 18 Feb 2002 [EMAIL PROTECTED] wrote: > Why use IPSec between web box and database? Does IPSec still have an added > value once a hacker gets on your web box? Just curious. > > -----Original Message----- > From: Trevor Cushen [mailto:[EMAIL PROTECTED]] > Sent: 15 February 2002 19:14 > To: 'Wayne Hanley' > Cc: [EMAIL PROTECTED] > Subject: RE: Databases > > > All documents and experience I have of this is using a three tier > solution. > > Internet ---> firewall ---> web box ----> firewall ---> database > > IPSec between web box and database. All boxes hardened etc. Firewalls > different systems to avoid one exploit giving full through access. > Microsoft site has a good paper on this under secure web designs if you > search that site. If you get that paper you can apply the principals to > a linux solution. Do you want the remote users to view data or add data > as well?. > > > > -----Original Message----- > From: Wayne Hanley [mailto:[EMAIL PROTECTED]] > Sent: 14 February 2002 12:39 > To: [EMAIL PROTECTED] > Subject: Databases > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We are currently developing a system to allow remote users (via the > internet) to use our database system. The data files are all legacy > in Dbase4 format. > > > > The problem I face is how to set this up. The solutions I'm looking > at are a server running either MySQL/APACHE/PHP or SQL Server 2000 > with IIS5.0 with a static IP in a DMZ. Currently we have a firewall > in place running Smoothwall 0.09a. I was going to move the firewall > to either a Redhat 7.2 box or Slackware 8.0 run IPtables/Chains to > have it a little more configurable than the current box. The > problems I see with this are for one using the Microsoft solution > having a live box with critical information running IIS/SQLServer and > hardening this to make it secure and stable enough to not have it be > a constant worry. Also since it will have a static IP (pros and cons > of running it on a unroutable IP and routing through the firewall?) > how will I have to set this up using either the MS solution or the > alternate *NIX based solution. The clients should be able to use the > database but securely using SSL or something along those lines. > > > > The other idea is to have a MySQL database run on our ISP's web > server have the daily transaction carried out then at the end of the > day update the database here with the transactions. This would still > the database server be reachable from the outside world though since > unless it was to be done by hand I cannot see another way of doing > this. > > > > Not having set anything like this up before any advice would be > welcomed. Thanks > > > > Wayne Hanley > - ------------------------------------------------------ > Systems Administrator > Datacable Ltd > > ddi: (+44) 01535 616030 > fax: (+44) 01535 690054 > email: [EMAIL PROTECTED] > > The information transmitted is the property of this company Datacable > Ltd and is intended > only for the person or entity to which it is addressed and may > contain confidential and/or > privileged material. Statements and opinions expressed in this e-mail > may not represent those > of Datacable Ltd. Any review, retransmission, dissemination and other > use of, or taking of any > action in reliance upon, this information by persons or entities > other than the intended > recipient is prohibited. If you received this in error, please > contact the sender immediately > and delete the material from any computer. > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQA/AwUBPGuv88V3Yc8D0zm7EQIIvQCgyEsvfyWuL8e2e1/LV1WBXkR/WukAn2V7 > gwaXVj1LjdDZtG6gDRwLnpnC > =CyIn > -----END PGP SIGNATURE----- > > > > > > > > **************************************************************************** > ** > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > > If you have received this message in error please notify SYSNET Ltd., at > telephone no: +353-1-2983000 or [EMAIL PROTECTED] > > **************************************************************************** > ** > > **** DISCLAIMER **** > "This e-mail and any attachments thereto may contain information > which is confidential and/or protected by intellectual property > rights and are intended for the sole use of the recipient(s) named above. > Any use of the information contained herein (including, but not limited to, > total or partial reproduction, communication or distribution in any form) > by persons other than the designated recipient(s) is prohibited. > If you have received this e-mail in error, please notify the sender either > by telephone or by e-mail and delete the material from any computer. > Thank you for your cooperation." >