[kwlug-disc] firewall question

[Rashkae]

Insurance Squared Inc. wrote:
> I've got a database inhouse here running on a linux server...our client
> DB. Normally I'd just disallow port 80 at the router and call it done
> for security :).  However, the database takes input from my website. 
> HTML forms are routinely POSTED to a specific program on the inhouse
> server.  So I've got port 80 pointed at the server.  That works fine,
> but now my DB server is exposed to the world.
> 
> If it was a webserver, I wouldn't worry about it. But if it was a web
> server, I wouldn't be running client data on it.
> 
> What's my best/easiest security solution?  Basically I need one way in
> for my webserver to POST records to the DB.  No external http: access
> (other than internal to my network) necessary.
> 
> I'm thinking along the lines of:
> - can I set my router to direct incoming POSTS to the server, but not
> allow anything out?  This is just a standard home QOS router.
> - Do I just use an htaccess file to only allow in/out access from
> internal IP's, and only incoming from external IP's?
> -  worst case, do I delve into IPtables?
> 
> The first one is the one I like, but I don't think it's possible.  The
> second is easy for me to implement, but makes me more nervous.  The
> third is possibly more secure than the second one but for me, much more
> complex to implement.
> 
> Thoughts?
> 



Use SSH to forward a port of your choice from the webserver to the DB
server.  In this case, you would want to the tunnel to bootstrap itself,
so you would use a private key that is not passphrase protected, keeping
in mind that keeping that file from being accessed by unwanted
individuals is paramount.

The security theater lovers will be compelled to point out that this
scheme defeats the purpose because anyone who gains access to the
webserver will also possibly have access to the DB when they figure out
the ssh key use.  I generally don't spin myself in circles over every 5
ouce liquid theory of security.