[kwlug-disc] firewall question

Raul Suarez rarsa at yahoo.com
Mon Feb 16 23:22:22 EST 2009


From: Insurance Squared Inc. <gcooke at insurancesquared.com>


>  So I've got port 80 pointed at the server. That works fine, but now my DB server is exposed to the world.

Why do you think that? if the port forwarding goes to one server it doesn't go to the other one even if the server has the port open

> If it was a webserver, I wouldn't worry about it. But if it was a web server, I wouldn't be running client data on it.

You "almost" got it right. For a sound architecture, the web server should not have access to the database server, period.

> What's my best/easiest security solution?  
> Basically I need one way in
for my webserver to POST records to the DB.  
> No external http: access
(other than internal to my network) necessary.

Why are you "POST"ing to the database through port 80? most databases create connections using a different port.

But the real answer is that you have a flawed (or weak) architecture.

If the data is really important, here is a sound (and common) architecture:

Web --> Firewal --> Web server -->  Firewal --> Application server --> Database

This is not difficult to set up, except that you will have to separate the presentation logic from the application logic.

 Raul Suarez

Technology consultant
Software, Hardware and Practices
_________________
http://rarsa.blogspot.com/ 
An eclectic collection of random thoughts



      __________________________________________________________________
Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com



More information about the kwlug-disc_kwlug.org mailing list