users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [cinjug-users] Public 2-Tier Website Security

from [Edward Sumerfield] [Permanent Link][Original]
To: users@xxxxxxxxxx
Subject: Re: [cinjug-users] Public 2-Tier Website Security
From: "Edward Sumerfield" <esumerfd@xxxxxxxxx>
Date: Tue, 12 Sep 2006 12:04:44 -0400
Delivered-to: mailing list users@cinjug.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P7zgfRnIUF3QtDDYcHvxgT2/AfzKa6c0whSPUwuNXapLH81wgZTWF0ye+JsK83BsP2huiYJeZYyOUo5M2WZRaVPdUN1rRbOBxwxV31vuwNiEOXiBLoOY7+Owx9LbnuuoE5TbJxE17KUe6/qcbjFtIkGYEDOfs/Zno6qT4NLWXZw=
In-reply-to: <18405.216.68.77.2.1157567351.squirrel@www.feudalkingdoms.tzo.org>
Mailing-list: contact users-help@cinjug.org; run by ezmlm
References: <18405.216.68.77.2.1157567351.squirrel@www.feudalkingdoms.tzo.org>
Reply-to: esumerfd@xxxxxxxxxxxxxx 
Not many answers on this one so let me try. Perhaps a security focused
group might be a better target, we are just software junkies, the less
security there is the easier it is to write the code.

Anyway, with my security hat on for a second.

If by "internal network" you mean inside your intranet you have your
database located in a place here 70% of hack attempts come from. I
would strongly recommend against this.

Alternatively, if you mean DMZ 2 then that is a fine place to put the database.

At the end of the day the most vulnerable point in your infrastructure
is your software. Chances are the network is pretty safe even behind
one firewall. Attacks arrive on prebuilt connections, the second
firewall only services to slow down the attacker that has already
compromised the web server.

I use, outside firewall with port 80 to DMZ1 which has load balancer,
web and app server on a cluster, then firewall DMZ2 with database and
another firewall to the internat to block internal access.

  bad people | DMZ 1 | DMZ 2 | more bad people.

Security hat says that everyone is bad until proven otherwise and then
they are still likely to become bad at any moment. Do you block access
to your production system from your administrators?

Ed the "usually good" software guy.

On 9/6/06, Sam Corder <samus@xxxxxxxxxxxxxxxxxxxxxx> wrote: 
At the company I work at for public sites our current model is to use 3
tiers.  The web server sits in the DMZ and app and db servers sit in the
internal network with holes punched through the firewall for the web and
app servers to communicate.  This has worked well enough but with all the
recent trends of consolidating the web and app servers back into one tier
using pojos and the like, we've started to rethink our architecture.  The
major concern so far is about security.  Particularly we're worried about
removing that extra hop to the database.  We've thought about bringing the
web server back into the internal network and using reverse proxies and we
have also thought about keeping it out there but allowing straight web to
database access.  I'd like to hear what other people are doing.  I'm
especially interested in hearing from the guys who have financial records
to protect.

-Sam Corder

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  The Premier Ajax Conference, The Ajax Experience returns to Boston on October 23-25th (Early Bird Discount available thru Monday, September 25th), Jay Zimmerman
Next by Date:  Mailing List tool, Scott Hofmann
Previous by Thread:  Public 2-Tier Website Security, Sam Corder
Next by Thread:  Hey DenmanLeilanioxqndb@xxxxxxxxxxxx, u got sags under your eyes?, Users
Indexes:  [Date] [Thread] [Top] [All Lists]