[ale] Web Server -> DB question

[Bob's ALE Mail]

> I have a client who wishes to set up a web server on one machine with
> dual NICs (one outside, one inside) and place a database server on
> another machine that lives on the internal network.

> Now, keep in mind that this client has no existing firewall set up.
> Everything they do is either entirely outside or entirely inside and
> never the twain shall meet.  I guess they're sorta thinking of a baby
> DMZ here, but I'd like your thoughts on how to implement this setup in
> the most secure manner possible.

It sounds like the reason for not connecting their internal network to
the Internet is for high security.  Bridging that gap reduces security.

> The goals here are to a)secure the data b) securely transmit data
> between the outside web server and the inside or DMZ db server

There is no absolute security, only risk levels.

> I'm of the opinion that they'd be better off purchasing a dedicated
> firewall (or setting one up on an old linux box) and placing it between
> the two machines, instead of using IPCHAINS on the apache box.

Firewalls are not magic cures for security problems.  Good crackers can
tunnel through many or do end runs around many others.  A thorough
understanding of the security issues is needed for good security.

Don't waste the client's money on a dedicated "name brand" firewall.  Linux
and IP CHAINS on any old 486 or better hardware can do almost every thing
the expensive proprietary boxes can do and you'll probably not miss
the rest.

For the novice, having a separate box might be slightly easier and safer.

> Any suggestions?  Thanks in advance

Don't jump into this until you educate yourself more on security and
firewalls.  Read some good books on security and firewalls.  Besides my own,
Ziegler's "Linux Firewalls" and Sonnenreich's & Yates' "Building Linux
and Openbsd Firewalls" are highly regarded.  There is _far_ more to
security than just throwing a few IP Chains rules at it.

Have minimal services on the firewall box and don't allow telnet or other
protocols that allow clear text passwords.

If you don't track security bugs, someone simply will make himself root on
your firewall box, undo the IP Chains rules and then take over your network.

> Jenn

Bob Toxen
bob at cavu.com
transam at cavu.com                       [Bob's ALE Bulk email]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My new book: Real World Linux Security]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and software consulting since 1990.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.