[ale] Web Server -> DB question

[Jonathan Rickman]

On Fri, 17 Nov 2000, Jennifer Taylor wrote:

> I have a client who wishes to set up a web server on one machine with dual NICs (one outside, one inside) and place a database server on another machine that lives on the internal network.
> 
> Now, keep in mind that this client has no existing firewall set up.  Everything they do is either entirely outside or entirely inside and never the twain shall meet.  I guess they're sorta thinking of a baby DMZ here, but I'd like your thoughts on how to implement this setup in the most secure manner possible.
> 
> The goals here are to a)secure the data 
> b) securely transmit data between the outside web server and the inside or DMZ db server
> 
> I'm of the opinion that they'd be better off purchasing a dedicated firewall (or setting one up on an old linux box) and placing it between the two machines, instead of using IPCHAINS on the apache box.  
> 
> Any suggestions?  Thanks in advance

First off, the idea of using dual nics to have the webserver straddle the
two networks is terrible.

Second, you're right, they need a separate machine acting as a firewall.
I'd suggest placing both servers behind the FW and using port forwarding
to direct traffic from the FW to the webserver, or reverse proxy using
squid. <assumption> Depending on what organization you are representing
within Chatham County </assumption> GCAC or DOAS might be able to assist
you in procuring the equipment needed for such a setup.

Third, fix your line-wrap. Some of us hard core guys still use mutt and
pine.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 6.5.2

mQENAzm0QZQAAAEIAN3uNRQlWHMrHwKgTNzpYps6SLipfNvH+0uZi0TvxyXFHiiH
kivQYxlcPn/4Za4eyl5XZvP6lGQ3DXcCzT+9di75HqFtTiHeE9YScR0WEeBB1ywL
j8nKxFdGMCJ3a3khSafPvyTUQKGaEWQGnui+6UieWeBhDHdE/o21qNd0+6M49P73
0pVTdmdn1jPj1cU+vrqkNWMfNNNhLyPjrdPzoL6SoYzCs6p5YhLWaNOiet/91RhK
VpC8uy2cUIWNOAyAOtDJwF4GY+AIVP2WTLg6L/FByDH507HP4NvkbnwPAkDSTh7M
TlXvdoeNiaEUCYCgx8CFSCAg/pl819+gts810D8ABRG0JkpvbmF0aGFuIFJpY2tt
YW4gPGpvbmF0aGFuQHhjb3Jwcy5uZXQ+iQEVAwUQObRBlNffoLbPNdA/AQETwwf/
d4W131UXeWd1+hcCR1bkFJRx+08fNtHzbMzjqquA4IRPftt72M6RzDsRn1xpsdh+
RqP0oeZ0IfnByhXQ7x65JxRUaYW2mw8GNQOeTkJ2uNDg3SaFG2HGYxASohP2r8D6
Yh1WIfEgf3YDwoKyGAfJTgcfHZe85+hgg6R60KbGMAhWf5Tbb6IEpzdvBi/HoYHC
c1km8esjnMPDmR1aLjcRffaMmWGwXk/33oZRo3Q0SO/MvqWyo1kZnq2JIxX0MDAm
nm2p0cZtQc1sECkC1XyyyH8tgWhXwzYpucpsQ3IhWFrCuL7y4t/wREOgd4KaSxkN
OKraa8g7Nyh4s8rSHFvq5A==
=XYFV
-----END PGP PUBLIC KEY BLOCK-----

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.