From: Bennett Todd (betat_private)
Date: Mon May 11 1998 - 05:48:13 PDT

  • Next message: Adam Shostack: "Re: Blitzkrieg Server -- For Real?! ( LONG )"

    1998-05-10-18:23:33 Thomas Ptacek:
    > Huh? I am very weak on database stuff, but I was of the impression that
    > ODBC *wasn't* an on-the-wire protocol, but rather a calling convention for
    > database libraries so that arbitrary drivers could interoperate with
    > arbitrary database-enabled programs.
    Not as weak as I am, evidently.
    You're right as can be.
    I'd tangled with something very like the question that Ikoedem Moses
    seemed to be requesting:
    >I want to pass ODBC traffic from a webserver in the DMZ to a database
    >server in the internal network. What is the right way to do it and what
    >ports does it uses?
    The over-the-wire protocol our developers were proposing to use was
    related to CORBA (I don't know for sure if CORBA actually specifies the
    network protocol, of if it's just another API spec). The datbase backend
    was ODBC<==>CORBA. I stated that (a) database implementations are huge,
    complex, and never designed with security as a goal; (b) there were no
    security provisions available in any implementation we could find of the
    proposed protocol; and (c) we could find no proxy that gave fine-grained
    control of the requests it would be willing to forward. Based on these
    limitations we ended up replicating the data out onto a sacrificial
    machine in the DMZ, sanitizing it as best we could, and protecting that
    machine the best we could with the screening router.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:03 PDT