1998-05-10-18:23:33 Thomas Ptacek: > Huh? I am very weak on database stuff, but I was of the impression that > ODBC *wasn't* an on-the-wire protocol, but rather a calling convention for > database libraries so that arbitrary drivers could interoperate with > arbitrary database-enabled programs. Not as weak as I am, evidently. You're right as can be. I'd tangled with something very like the question that Ikoedem Moses seemed to be requesting: >I want to pass ODBC traffic from a webserver in the DMZ to a database >server in the internal network. What is the right way to do it and what >ports does it uses? The over-the-wire protocol our developers were proposing to use was related to CORBA (I don't know for sure if CORBA actually specifies the network protocol, of if it's just another API spec). The datbase backend was ODBC<==>CORBA. I stated that (a) database implementations are huge, complex, and never designed with security as a goal; (b) there were no security provisions available in any implementation we could find of the proposed protocol; and (c) we could find no proxy that gave fine-grained control of the requests it would be willing to forward. Based on these limitations we ended up replicating the data out onto a sacrificial machine in the DMZ, sanitizing it as best we could, and protecting that machine the best we could with the screening router. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:03 PDT