-
May 6th, 2006, 11:26 AM
#11
OK
As this application will be directly accessing the database server and yes there will be data coming in and out from the server and similarly at the user end too.
Which server is this? What I was suggesting was that your company database and applications be isolated from this server that deals with the outside World. Only allow connection through controlled interfaces. Whether you use batch updates, trickle feed and the timing of activities is a detail further down the road.
The "public" server should be protected in the normal way for such devices. I would make damn sure that no customer or confidential data were stored on it. If you need to validate then make sure that it has to use an internal program and go to a separate server.
-
May 6th, 2006, 03:43 PM
#12
Hi
Interesting problem, and I would like to help.
However, I need some clarification. Fanacool,
you said:
There is flaw in this development of the application from software
team they should have developed it as a web-based tool..... rather
than a desktop application but somehow they have managed to go through
it and now its upto us network side ppl to manage it.
I understand that due to people lacking the time to read
the specifications carefully (as usual, actually), a
desktop application has been developed rather than some
"web-based" tool. In both cases, as I see it,
you (the network people) will face the same situation:
data is coming from an untrusted source to some listening
service. Whether this data is sent by a desktop application
or by a form in the web browser, is irrelevant. Or did I
misunderstand something?
As this application will be directly accessing the database server
(...)
But still i am a little worried about the threat to that server as
it will be open for everyone and will not be a on private network....
And you should be worried. As nihil pointed out, separate the publicly
listening server (let's call it web-server) from the database server
(I have in mind a situation as described in the addict forum[1]).
The desktop application should for example contact a web-service running
on the web-server, which itself is allowed to use stored procedures
of the database server (and only the locked-down "web-service"-user is
allowed to do so). Of course, there is only one allowed communication
channel from the web-server to the database-server (hardware firewall):
to port 1521 (or whatever) of the database-server.
The architecture is not very costly, but allows for a reasonable
protection - at least I think so Reasonable protection compared
to have the database server public.
I would not implement a VPN solution for this itself, except
you see a future need to do so...look for arguments and present
them to the management
I understand that the offices, corporate clients may not have
static IP's, hence configuring some hardware firewall in such
a way is not feasible. Then, furthermore, corporate clients
change from time to time - each time, the firewall would have
to be updated, which generates steady costs and a degree of
uncertainty.
Furthermore, how do you ensure that your clients are contacting
the correct server?
What is your budget anyway? Maybe some company, like oracle, has an
appliable B2B-solution ready (we have not discussed the functionality
of this application)?
Cheers
[1] http://www.antionline.com/showthread...hreadid=273636
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
May 8th, 2006, 07:38 AM
#13
About the discussion that the appliction has to be a web-based rather than the desktop is simple, now whenever any Amendment will be done in the application it has to be send or deploy on all the clients manually, which is time consuming.
Well so far i am myself not satisfied about that Firewall they are asking us to put in between the server and the outside world. As per the upper management, we would have static IP for the server which will be behind a firewall, and clients including both our corporates and local office will be connecting to this server via any available media (Dial-up, DSL e.t.c) to them.
The application is securly connecting to the database, checks the credential and then let the user to perform there tasks (query, updates e.t.c).
Now when we will be putting a firewall in b/w the server, this could slow down the connection to certain level so don't you think so that the dial-up users may be feeling problem in connection slowness sort of thing.
The only thing at the moment boggling my mind is that Firewall, what role will be it playing here although most of the users will be using dynamic IPs, then how come this firewall will be working and will be elimating the threats.
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
May 8th, 2006, 08:33 AM
#14
Hi
FanacooL, would it be costly to port the application to .NET?
Using the ClickOnce-Technology[1], the deployment is very easy: the
clients only have to access a certain page to install the application,
which updates itself automatically afterwards. You even can sign your
application, making it harder for malicious people to ...
Now when we will be putting a firewall in b/w the server, this could slow
down the connection to certain level so don't you think so that the dial-up
users may be feeling problem in connection slowness sort of thing.
I actually do not think so - the bottleneck here seems not to be the
capacity of the firewall, but the bandwidth of the connection. How many
clients will be connecting concurrently?
The only thing at the moment boggling my mind is that Firewall, what role
will be it playing here although most of the users will be using dynamic IPs,
then how come this firewall will be working and will be elimating the threats.
The firewall will be between your server and the internet. A server usually
is not locked down such that only the one particular service is listening
on some port. There are other services listening, effectively increasing the
attack surface of the server.
If you have some compartmented mechanism in your OS (not discussed yet),
I would not be extremely worried. But I guess this is not the an issue here,
hence some firewall is useful.
Cheers
[1] http://msdn.microsoft.com/netframewo...res/clickonce/
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
May 8th, 2006, 08:40 AM
#15
What does compartemented mechanism in OS means?
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
May 8th, 2006, 08:46 AM
#16
Number of clients connecting concurrently would be hundred......
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
May 8th, 2006, 09:25 AM
#17
Hi
Code:
What does compartemented mechanism in OS means?
In a nutshell: A compartment is a container that does not
allow for modification or observation from "outside". This
may be solved by hardware- or software-components
(like SELinux).
Marchesini is a guy who wrote about it quite some nice
papers. Have a look at this one[1], if you want to dive in
more deeply (yes, TCPA is mentioned in the title ).
Cheers
[1] www.cs.dartmouth.edu/~sws/papers/acsac04.pdf, in particular section 3.3. software compartments
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
May 8th, 2006, 02:11 PM
#18
Here's modified form of the network.....although its not safe as the VPN one....comments or suggestion about this one....... ANy recommendation about firewall and router model ...... my budget for both router and firewall would be 1500-1750 ponds....
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|