[kwlug-disc] firewall question

unsolicited unsolicited at swiz.ca
Tue Feb 17 14:30:53 EST 2009


Insurance Squared Inc. wrote, On 02/16/2009 7:34 PM:
> I've got a database inhouse here running on a linux server...our client 
> DB. Normally I'd just disallow port 80 at the router and call it done 
> for security :).  However, the database takes input from my website.  
> HTML forms are routinely POSTED to a specific program on the inhouse 
> server.  So I've got port 80 pointed at the server.  That works fine, 
> but now my DB server is exposed to the world.
.
.
.

Hi Glenn.

I'm not quite clear on your setup - a flow / diagram might help. I've 
seen a couple of good responses, but neither seem to be the simple 
answer you would like to have. It sounds like you're headed for a DMZ, 
but your message doesn't read like you're looking for even that much work.

It seems to me that what would be nice, since you have a webserver 
with all the security fiddly bits already in place, is to have your 
clients post to your webserver instead of directly to the database 
server, and have the webserver 'relay' the posts to the database 
server (and back). The database server would accept no internet 
connections (no ports open on the firewall).

The nice thing about things like an ssh server is that you know ssh 
will just drop anything it's not happy with. If you're convinced the 
database server is equally robust, only spending time on legitimate 
data, you may be ok with the port open.

Not to take anything away from the other 'really good things' in the 
other posts, but this may integrate well with what you already have. 
Whether it's 'sufficient' security or not, only you, and time, can tell.

As John once said, there are best practices, and then there are what 
people usually do. Until they get burned.

Do make sure you take regular backups of the data. (-:



More information about the kwlug-disc_kwlug.org mailing list