| |
Firewall Testing About VESARiA |
|
|
5.11 How do I make my web server act as a front-end for a database that lives on my private network?
The best way to do this is to allow very limited connectivity between
your web server and your database server via a specific protocol that
only supports the level of functionality you're going to use.
Allowing raw SQL, or anything else where custom extractions could be
performed by an attacker isn't generally a good idea.
Assume that an attacker is going to be able to break into your web
server, and make queries in the same way that the web server can. Is
there a mechanism for extracting sensitive information that the web
server doesn't need, like credit card information? Can an attacker
issue an SQL select and extract your entire proprietary
database?
``E-commerce'' applications, like everything else, are best designed
with security in mind from the ground up, instead of having security
``added'' as an afterthought. Review your architecture critically, from
the perspective of an attacker. Assume that the attacker knows
everything about your architecture. Now ask yourself what needs to be
done to steal your data, to make unauthorized changes, or to do
anything else that you don't want done. You might find that you can
significantly increase security without decreasing functionality by
making a few design and implementation decisions.
Some ideas for how to handle this:
- Extract the data you need from the database on a regular basis
so you're not making queries against the full database, complete
with information that attackers will find interesting.
- Greatly restrict and audit what you do allow between the web
server and database.
|
 |
Vesaria
722 Dulaney Valley Road, Suite 192
Towson, MD 21204
443 - 501 - 4044
|
