Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] oracle replication : good idea to open ports DMZ -> Int ernal LAN ??

To: "'karim amrani'" <[email protected]>, "'[email protected]'" <[email protected]>
Subject: RE: [FW1] oracle replication : good idea to open ports DMZ -> Int ernal LAN ??
From: "Witham, John" <[email protected]>
Date: Sun, 17 Sep 2000 13:48:04 -0500
Sender: [email protected]

If your dev team is like our dev teams...

RAISE THE FLAG NOW.

First see how they're going to replicate the data, and make sure you agree
with what they're doing.  If they're doing something like FTP, cp, or
NetBIOS copy, what would happen if your web server gets compromised?  Would
the attacker be able to get at the production database?  How are they
replicating the database? Dropping the main DB into hot-standby, stopping
the DMZ DB, copying the flat file, and restarting everything?  This sounds
really messy.

If they're just passing lookups, Check Point has INSPECT code that works
with 8i... Before, the $#@#!! dev teams wanted me to open 1024-65536 since
the Oracle box uses 1526/7 to negotiate another, higher, random port for
data transfer.  The INSPECT code is much safer.

Good luck!

-john

-----Original Message-----
From: karim amrani [mailto:[email protected]]
Sent: Thursday, September 14, 2000 5:31 AM
To: 
Subject: [FW1] oracle replication : good idea to open ports DMZ ->
Internal LAN ??



Hi everybody,

We have a web server (in the DMZ) picking up data in its local Oracle 8i
Database. The main (Oracle 8i) database is on the internal LAN.

The idea is to replicate the main DB to the webserver DB.

Our development team is asking me to open some ports from the DMZ to the
internal LAN... They say they have no other solution (and they asked
Oracle about that point). I'm puzzled....

As our need is probably classic, would there be a person of Good willing
to share his secure solution on that issue ?

Thanks a lot,

Karim AMRANI





============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] DNS issues
Next by Date: RE: [FW1] Securemote Issue....
Previous by thread: Re: [FW1] anti-spoofing on aliased interfaces
Next by thread: [no subject]
Index(es):
- Date
- Thread