Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Three Physical Tiers in the Name of Security?

from [Lucas Holt] Network Security [Permanent Link]
Subject: Re: Three Physical Tiers in the Name of Security?
Date: Thu, 28 Jul 2005 09:43:49 -0400
In addition to these great points, it might be possible to limit access to the database by using the approach. In microsoftland, you can use windows authentication or mixed mode on the sql server. You could perhaps limit the windows authentication for the sql server only from specific locations easier. In mixed mode, it means that storage of your password for the sql database would not be on the webserver. If it were compromised, the bad guys wouldn't know the password or any of the sql queries used. On the down side, if they found a hole in the first tier the app is still exploitable potentially. Its not an unsound idea, but you would certainly need to take adequate precautions at each level to make it useful.

On Jul 28, 2005, at 4:27 AM, Lyal Collins wrote:

I can offer a few thoughts, which may even be relevant.
The 3 physical tier approach means:
- web-app layer traffic can be firewalled into specific ports and thus
specific protocols
- web-app layer traffic can be "IPS'ed"
- there is potential for using different OSes in different layers (I did
note you said this is an MS shop) to avoid the possible monoculture problem
(e.g. certain attacks agains the OS may work effectivly at all 3 layers)
- in some IT shops, 3 tiers can improve access control and segregation of
duties by separating the skills needed for each layer/technology base into
discrete boxes. E.g. why would a DBA or programmer need access to the layer
that stores SSL certs/private keys? Of course, if there is ony 1 person
doing all 3 functions, this is moot.

These may offer advantages in your environment - without knowing the risk
environment/models to be protected against, it's hard to say.

Clearly document the pros and cons for internal decisions/approval should
clearly articulate the benefits being sought, and set down a future
architectural direction/intention.

Lyal



Lucas Holt
Luke@FoolishGames.com
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)
FoolishGames.net (Enemy Territory IoM site)

Think PC.. in 2006 you can own an Apple PCintosh. Whats next, windows works?

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Three Physical Tiers in the Name of Security?, Jeff Robertson
Next by Date:  Re: Three Physical Tiers in the Name of Security?, Groves Powers
Previous by Thread:  RE: Three Physical Tiers in the Name of Security?, Lyal Collins
Next by Thread:  Re: Three Physical Tiers in the Name of Security?, Frank O'Dwyer
Indexes:  [Date] [Thread] [Top] [All Lists]