[kwlug-disc] firewall question

Insurance Squared Inc. gcooke at insurancesquared.com
Tue Feb 17 14:40:46 EST 2009


Thanks all. 

I probably confused everyone when I said database server.  My webserver 
resides in Toronto in a colo facility :).  The 'database' server isn't a 
database server.  It's just a linux machine sitting in my office here in 
New Hamburg running apache/mysql, which includes that CRM program we 
talked about a few months ago.  The webservers in Toronto posts to a php 
program running on a computer in the closet here in new hamburg.  The 
local php program here then sticks it into mysql.  Then everyone 
internally here accesses that database just by surfing to the IP of the 
internal machine, i.e. 198.0.168.18.  But with that setup, external 
baddies can see my database as well just by typing in my external IP. 

I think Cedric indicated that the WRT54G router will handle this.  
That's the one that I've got...so I just need to do some reading on how 
to do it.  Using the router/firewall seems the best way to me. 

g.




unsolicited wrote:
> Insurance Squared Inc. wrote, On 02/16/2009 7:34 PM:
>> I've got a database inhouse here running on a linux server...our 
>> client DB. Normally I'd just disallow port 80 at the router and call 
>> it done for security :).  However, the database takes input from my 
>> website.  HTML forms are routinely POSTED to a specific program on 
>> the inhouse server.  So I've got port 80 pointed at the server.  That 
>> works fine, but now my DB server is exposed to the world.
> .
> .
> .
>
> Hi Glenn.
>
> I'm not quite clear on your setup - a flow / diagram might help. I've 
> seen a couple of good responses, but neither seem to be the simple 
> answer you would like to have. It sounds like you're headed for a DMZ, 
> but your message doesn't read like you're looking for even that much 
> work.
>
> It seems to me that what would be nice, since you have a webserver 
> with all the security fiddly bits already in place, is to have your 
> clients post to your webserver instead of directly to the database 
> server, and have the webserver 'relay' the posts to the database 
> server (and back). The database server would accept no internet 
> connections (no ports open on the firewall).
>
> The nice thing about things like an ssh server is that you know ssh 
> will just drop anything it's not happy with. If you're convinced the 
> database server is equally robust, only spending time on legitimate 
> data, you may be ok with the port open.
>
> Not to take anything away from the other 'really good things' in the 
> other posts, but this may integrate well with what you already have. 
> Whether it's 'sufficient' security or not, only you, and time, can tell.
>
> As John once said, there are best practices, and then there are what 
> people usually do. Until they get burned.
>
> Do make sure you take regular backups of the data. (-:
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
>




More information about the kwlug-disc_kwlug.org mailing list