[kwlug-disc] firewall question
unsolicited at swiz.ca
Tue Feb 17 14:30:53 EST 2009
Insurance Squared Inc. wrote, On 02/16/2009 7:34 PM:
> I've got a database inhouse here running on a linux server...our client
> DB. Normally I'd just disallow port 80 at the router and call it done
> for security :). However, the database takes input from my website.
> HTML forms are routinely POSTED to a specific program on the inhouse
> server. So I've got port 80 pointed at the server. That works fine,
> but now my DB server is exposed to the world.
I'm not quite clear on your setup - a flow / diagram might help. I've
seen a couple of good responses, but neither seem to be the simple
answer you would like to have. It sounds like you're headed for a DMZ,
but your message doesn't read like you're looking for even that much work.
It seems to me that what would be nice, since you have a webserver
with all the security fiddly bits already in place, is to have your
clients post to your webserver instead of directly to the database
server, and have the webserver 'relay' the posts to the database
server (and back). The database server would accept no internet
connections (no ports open on the firewall).
The nice thing about things like an ssh server is that you know ssh
will just drop anything it's not happy with. If you're convinced the
database server is equally robust, only spending time on legitimate
data, you may be ok with the port open.
Not to take anything away from the other 'really good things' in the
other posts, but this may integrate well with what you already have.
Whether it's 'sufficient' security or not, only you, and time, can tell.
As John once said, there are best practices, and then there are what
people usually do. Until they get burned.
Do make sure you take regular backups of the data. (-:
More information about the kwlug-disc_kwlug.org