Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Running SQL on Real IP

  1. #11
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK

    As this application will be directly accessing the database server and yes there will be data coming in and out from the server and similarly at the user end too.
    Which server is this? What I was suggesting was that your company database and applications be isolated from this server that deals with the outside World. Only allow connection through controlled interfaces. Whether you use batch updates, trickle feed and the timing of activities is a detail further down the road.

    The "public" server should be protected in the normal way for such devices. I would make damn sure that no customer or confidential data were stored on it. If you need to validate then make sure that it has to use an internal program and go to a separate server.


  2. #12
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Interesting problem, and I would like to help.
    However, I need some clarification. Fanacool,
    you said:

    There is flaw in this development of the application from software
    team they should have developed it as a web-based tool..... rather
    than a desktop application but somehow they have managed to go through
    it and now its upto us network side ppl to manage it.

    I understand that due to people lacking the time to read
    the specifications carefully (as usual, actually), a
    desktop application has been developed rather than some
    "web-based" tool. In both cases, as I see it,
    you (the network people) will face the same situation:
    data is coming from an untrusted source to some listening
    service. Whether this data is sent by a desktop application
    or by a form in the web browser, is irrelevant. Or did I
    misunderstand something?


    As this application will be directly accessing the database server
    (...)
    But still i am a little worried about the threat to that server as
    it will be open for everyone and will not be a on private network....
    And you should be worried. As nihil pointed out, separate the publicly
    listening server (let's call it web-server) from the database server
    (I have in mind a situation as described in the addict forum[1]).

    The desktop application should for example contact a web-service running
    on the web-server, which itself is allowed to use stored procedures
    of the database server (and only the locked-down "web-service"-user is
    allowed to do so). Of course, there is only one allowed communication
    channel from the web-server to the database-server (hardware firewall):
    to port 1521 (or whatever) of the database-server.

    The architecture is not very costly, but allows for a reasonable
    protection - at least I think so Reasonable protection compared
    to have the database server public.


    I would not implement a VPN solution for this itself, except
    you see a future need to do so...look for arguments and present
    them to the management

    I understand that the offices, corporate clients may not have
    static IP's, hence configuring some hardware firewall in such
    a way is not feasible. Then, furthermore, corporate clients
    change from time to time - each time, the firewall would have
    to be updated, which generates steady costs and a degree of
    uncertainty.

    Furthermore, how do you ensure that your clients are contacting
    the correct server?

    What is your budget anyway? Maybe some company, like oracle, has an
    appliable B2B-solution ready (we have not discussed the functionality
    of this application)?


    Cheers


    [1] http://www.antionline.com/showthread...hreadid=273636
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #13
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    About the discussion that the appliction has to be a web-based rather than the desktop is simple, now whenever any Amendment will be done in the application it has to be send or deploy on all the clients manually, which is time consuming.

    Well so far i am myself not satisfied about that Firewall they are asking us to put in between the server and the outside world. As per the upper management, we would have static IP for the server which will be behind a firewall, and clients including both our corporates and local office will be connecting to this server via any available media (Dial-up, DSL e.t.c) to them.

    The application is securly connecting to the database, checks the credential and then let the user to perform there tasks (query, updates e.t.c).

    Now when we will be putting a firewall in b/w the server, this could slow down the connection to certain level so don't you think so that the dial-up users may be feeling problem in connection slowness sort of thing.

    The only thing at the moment boggling my mind is that Firewall, what role will be it playing here although most of the users will be using dynamic IPs, then how come this firewall will be working and will be elimating the threats.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  4. #14
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    FanacooL, would it be costly to port the application to .NET?
    Using the ClickOnce-Technology[1], the deployment is very easy: the
    clients only have to access a certain page to install the application,
    which updates itself automatically afterwards. You even can sign your
    application, making it harder for malicious people to ...

    Now when we will be putting a firewall in b/w the server, this could slow
    down the connection to certain level so don't you think so that the dial-up
    users may be feeling problem in connection slowness sort of thing.
    I actually do not think so - the bottleneck here seems not to be the
    capacity of the firewall, but the bandwidth of the connection. How many
    clients will be connecting concurrently?


    The only thing at the moment boggling my mind is that Firewall, what role
    will be it playing here although most of the users will be using dynamic IPs,
    then how come this firewall will be working and will be elimating the threats.
    The firewall will be between your server and the internet. A server usually
    is not locked down such that only the one particular service is listening
    on some port. There are other services listening, effectively increasing the
    attack surface of the server.

    If you have some compartmented mechanism in your OS (not discussed yet),
    I would not be extremely worried. But I guess this is not the an issue here,
    hence some firewall is useful.

    Cheers


    [1] http://msdn.microsoft.com/netframewo...res/clickonce/
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  5. #15
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    What does compartemented mechanism in OS means?
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  6. #16
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Number of clients connecting concurrently would be hundred......
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  7. #17
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Code:
    What does compartemented mechanism in OS means?
    In a nutshell: A compartment is a container that does not
    allow for modification or observation from "outside". This
    may be solved by hardware- or software-components
    (like SELinux).

    Marchesini is a guy who wrote about it quite some nice
    papers. Have a look at this one[1], if you want to dive in
    more deeply (yes, TCPA is mentioned in the title ).


    Cheers

    [1] www.cs.dartmouth.edu/~sws/papers/acsac04.pdf, in particular section 3.3. software compartments
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  8. #18
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Here's modified form of the network.....although its not safe as the VPN one....comments or suggestion about this one....... ANy recommendation about firewall and router model ...... my budget for both router and firewall would be 1500-1750 ponds....
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •