[ale] Web Server -> DB question

Thompson Freeman tfreeman at intel.digichem.net
Fri Nov 17 10:48:21 EST 2000 


I'm not a security expert - but using the web server to host a firewall
between the web server and the database would scare me badly. Once the web
server is/was comprimised, the firewall is comprimised, and hence the
database. Putting the firewall on the database machine or between the two
would be better, but not much as cracking the web server would expose the
route to access the database (authorization and all of that).

My guess on this one would be to put an outside firewall on or outside  
the apache server, putting nothing else on that server if possible. Add a
second firewall behind the web server if needed, and keep the database as
simple as possible (reducing exposure when it gets opened up).

YMMV, and this isn't my specialty, so I can assure you I've botched
something.

On Fri, 17 Nov 2000, Jennifer Taylor wrote:

> I have a client who wishes to set up a web server on one machine with dual NICs (one outside, one inside) and place a database server on another machine that lives on the internal network.
> 
> Now, keep in mind that this client has no existing firewall set up.  Everything they do is either entirely outside or entirely inside and never the twain shall meet.  I guess they're sorta thinking of a baby DMZ here, but I'd like your thoughts on how to implement this setup in the most secure manner possible.
> 
> The goals here are to a)secure the data 
> b) securely transmit data between the outside web server and the inside or DMZ db server
> 
> I'm of the opinion that they'd be better off purchasing a dedicated firewall (or setting one up on an old linux box) and placing it between the two machines, instead of using IPCHAINS on the apache box.  
> 
> Any suggestions?  Thanks in advance
> 
> Jenn
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> 

-- 
===========================================
The harder I work, the luckier I get.
                    Lee Iacocca
===========================================
Thompson Freeman          tfreeman at intel.digichem.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list