From: Bennett Todd (betat_private)
Date: Fri May 08 1998 - 05:06:34 PDT

  • Next message: Franz, Matt: "RE: RST's and ACK's and stealth scans"

    1998-05-06-16:07:35 Ikoedem Moses:
    >  I want to pass ODBC  traffic from a webserver in the DMZ to  a database
    > server in the internal network. What is the right way to do it and what
    > ports does it uses?
    First answer would be easy: _don't_ do it. ODBC is an immature protocol;
    security isn't implemented by any vendor I know of. They don't have
    strong authentication, nor encryption. The protocol being passed is
    open-ended. Don't let it through your firewall. Replicate such data as
    the web presence needs out onto a server in the DMZ, perhaps reachable
    only by the web server. Don't let that traffic in.
    If for some reason that just can't be done, then your next best bet
    would be to write yourself a custom application-level proxy: write an
    ODBC client/server to run on the firewall, write it bulletproof (as if
    you could find bulletproof ODBC development libraries...) and riddle it
    with serious sanity checking of the traffic stream.
    And if _that_ can't be done, and you absolutely have to let the traffic
    through, get your objections acknowleged in writing --- you want it
    documented in black and white that someone else is to blame when this
    hole is torn open. Then hang a sniffer on the wire while doing a typical
    dialogue, and see what packets are required. I tried to set up packet
    filtering rules to allow something that claimed to be ODBC traffic
    between java applets, downloaded to client web servers, and the web
    server. Turns out I had to open a rendezvous port, plus a whole range of
    high port numbers. A couple of months later I was sure glad I'd
    completely removed portmapper from that box, when it was revealed that
    portmapper was secretly listening to some high-numbered port.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:37 PDT