The problem with this scenario is that if you compromise the web box, you have the private key to setup the tunnel through the firewall. But, if you are looking at the traffic from another machine in the DMZ, the tunnel will protect things like unencrypted database passwords...
In fact, I know a security wizard who - while not speaking for attribution - who hates things like ssh tunneling. Why? Because it obscures his ability to monitor the traffic - he can't see port 20 being used meaning ftp... it's all mush over a single port... It's not "good", but a little bit of strong encryption can cover up a lot of bad programming practices... -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 3:11 AM To: [EMAIL PROTECTED] Subject: RE: Databases Why use IPSec between web box and database? Does IPSec still have an added value once a hacker gets on your web box? Just curious. -----Original Message----- From: Trevor Cushen [mailto:[EMAIL PROTECTED]] Sent: 15 February 2002 19:14 To: 'Wayne Hanley' Cc: [EMAIL PROTECTED] Subject: RE: Databases All documents and experience I have of this is using a three tier solution. Internet ---> firewall ---> web box ----> firewall ---> database IPSec between web box and database. All boxes hardened etc. Firewalls different systems to avoid one exploit giving full through access. Microsoft site has a good paper on this under secure web designs if you search that site. If you get that paper you can apply the principals to a linux solution. Do you want the remote users to view data or add data as well?. -----Original Message----- From: Wayne Hanley [mailto:[EMAIL PROTECTED]] Sent: 14 February 2002 12:39 To: [EMAIL PROTECTED] Subject: Databases -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are currently developing a system to allow remote users (via the internet) to use our database system. The data files are all legacy in Dbase4 format. The problem I face is how to set this up. The solutions I'm looking at are a server running either MySQL/APACHE/PHP or SQL Server 2000 with IIS5.0 with a static IP in a DMZ. Currently we have a firewall in place running Smoothwall 0.09a. I was going to move the firewall to either a Redhat 7.2 box or Slackware 8.0 run IPtables/Chains to have it a little more configurable than the current box. The problems I see with this are for one using the Microsoft solution having a live box with critical information running IIS/SQLServer and hardening this to make it secure and stable enough to not have it be a constant worry. Also since it will have a static IP (pros and cons of running it on a unroutable IP and routing through the firewall?) how will I have to set this up using either the MS solution or the alternate *NIX based solution. The clients should be able to use the database but securely using SSL or something along those lines. The other idea is to have a MySQL database run on our ISP's web server have the daily transaction carried out then at the end of the day update the database here with the transactions. This would still the database server be reachable from the outside world though since unless it was to be done by hand I cannot see another way of doing this. Not having set anything like this up before any advice would be welcomed. Thanks Wayne Hanley - ------------------------------------------------------ Systems Administrator Datacable Ltd ddi: (+44) 01535 616030 fax: (+44) 01535 690054 email: [EMAIL PROTECTED] The information transmitted is the property of this company Datacable Ltd and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of Datacable Ltd. Any review, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPGuv88V3Yc8D0zm7EQIIvQCgyEsvfyWuL8e2e1/LV1WBXkR/WukAn2V7 gwaXVj1LjdDZtG6gDRwLnpnC =CyIn -----END PGP SIGNATURE----- **************************************************************************** ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************** ** **** DISCLAIMER **** "This e-mail and any attachments thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation."
