[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] oracle replication : good idea to open ports DMZ -> Int ernal LAN ??
If your dev team is like our dev teams... RAISE THE FLAG NOW. First see how they're going to replicate the data, and make sure you agree with what they're doing. If they're doing something like FTP, cp, or NetBIOS copy, what would happen if your web server gets compromised? Would the attacker be able to get at the production database? How are they replicating the database? Dropping the main DB into hot-standby, stopping the DMZ DB, copying the flat file, and restarting everything? This sounds really messy. If they're just passing lookups, Check Point has INSPECT code that works with 8i... Before, the $#@#!! dev teams wanted me to open 1024-65536 since the Oracle box uses 1526/7 to negotiate another, higher, random port for data transfer. The INSPECT code is much safer. Good luck! -john -----Original Message----- From: karim amrani [mailto:[email protected]] Sent: Thursday, September 14, 2000 5:31 AM To: Subject: [FW1] oracle replication : good idea to open ports DMZ -> Internal LAN ?? Hi everybody, We have a web server (in the DMZ) picking up data in its local Oracle 8i Database. The main (Oracle 8i) database is on the internal LAN. The idea is to replicate the main DB to the webserver DB. Our development team is asking me to open some ports from the DMZ to the internal LAN... They say they have no other solution (and they asked Oracle about that point). I'm puzzled.... As our need is probably classic, would there be a person of Good willing to share his secure solution on that issue ? Thanks a lot, Karim AMRANI ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|