1998-05-06-16:07:35 Ikoedem Moses: > I want to pass ODBC traffic from a webserver in the DMZ to a database > server in the internal network. What is the right way to do it and what > ports does it uses? First answer would be easy: _don't_ do it. ODBC is an immature protocol; security isn't implemented by any vendor I know of. They don't have strong authentication, nor encryption. The protocol being passed is open-ended. Don't let it through your firewall. Replicate such data as the web presence needs out onto a server in the DMZ, perhaps reachable only by the web server. Don't let that traffic in. If for some reason that just can't be done, then your next best bet would be to write yourself a custom application-level proxy: write an ODBC client/server to run on the firewall, write it bulletproof (as if you could find bulletproof ODBC development libraries...) and riddle it with serious sanity checking of the traffic stream. And if _that_ can't be done, and you absolutely have to let the traffic through, get your objections acknowleged in writing --- you want it documented in black and white that someone else is to blame when this hole is torn open. Then hang a sniffer on the wire while doing a typical dialogue, and see what packets are required. I tried to set up packet filtering rules to allow something that claimed to be ODBC traffic between java applets, downloaded to client web servers, and the web server. Turns out I had to open a rendezvous port, plus a whole range of high port numbers. A couple of months later I was sure glad I'd completely removed portmapper from that box, when it was revealed that portmapper was secretly listening to some high-numbered port. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:37 PDT