From: Technical Incursion Countermeasures (listsat_private)
Date: Sun May 10 1998 - 11:48:23 PDT

  • Next message: tqbfat_private: "Re: ODBC"

    At 05:06 AM 5/8/98 -0700, you wrote:
    >1998-05-06-16:07:35 Ikoedem Moses:
    >>  I want to pass ODBC  traffic from a webserver in the DMZ to  a database
    >> server in the internal network. What is the right way to do it and what
    >> ports does it uses?
    >First answer would be easy: _don't_ do it. ODBC is an immature protocol;
    >security isn't implemented by any vendor I know of. They don't have
    >strong authentication, nor encryption. The protocol being passed is
    >open-ended. Don't let it through your firewall. Replicate such data as
    >the web presence needs out onto a server in the DMZ, perhaps reachable
    >only by the web server. Don't let that traffic in.
    I assume that you are using something like MS SQL Server - you are not
    using Access are you? (I hope not). If you are using SQl Server then you
    could post your queries to it via SMTP. It takes a little bit of tweaking
    to get it to work right (What MS Product doesn't :{) but it means that you
    are not opening up anything else in your firewall...
    Technical Incursion Countermeasures 
    ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9454 6042
    The Insider - a e'zine on Computer security

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:57 PDT