VESARiA Network Security Specialists
About Vesaria Services Consulting Partners Research Customers Contact Us

Firewall Testing



5.11 How do I make my web server act as a front-end for a database that lives on my private network?

  The best way to do this is to allow very limited connectivity between your web server and your database server via a specific protocol that only supports the level of functionality you're going to use. Allowing raw SQL, or anything else where custom extractions could be performed by an attacker isn't generally a good idea.

Assume that an attacker is going to be able to break into your web server, and make queries in the same way that the web server can. Is there a mechanism for extracting sensitive information that the web server doesn't need, like credit card information? Can an attacker issue an SQL select and extract your entire proprietary database?

``E-commerce'' applications, like everything else, are best designed with security in mind from the ground up, instead of having security ``added'' as an afterthought. Review your architecture critically, from the perspective of an attacker. Assume that the attacker knows everything about your architecture. Now ask yourself what needs to be done to steal your data, to make unauthorized changes, or to do anything else that you don't want done. You might find that you can significantly increase security without decreasing functionality by making a few design and implementation decisions.

Some ideas for how to handle this:

  • Extract the data you need from the database on a regular basis so you're not making queries against the full database, complete with information that attackers will find interesting.
  • Greatly restrict and audit what you do allow between the web server and database.
Vesaria, LLC

Firewall FAQ
Table of Contents

Previous Section: How do I make RealAudio work through my firewall?

Next Section: But my database has an integrated web server, and I want to use that. Can't I just poke a hole in the firewall and tunnel that port?

Find out more about VESARiA Firewall Testing.

© 2000 - 2018 Vesaria Network Security Specialists        
   About Vesaria   |   Legal   |   Privacy   |   Contact