| Subject | Re: Interbase safe on internet? |
|---|---|
| Author | Mark O'Donohue |
| Post date | 2002-07-01T11:10:45Z |
[sorry if it's not quite on topic, I posted this to
borland.public.ib.opensource 2 days ago, it hasn't appeared, persuming a
suff up and in case anyone was interested, (but it's not THAT
interesting) I've posted it here as well.]
Jorge Alvarez wrote:
of the simple fw purpose built linux distributions.
http://www.coyotelinux.com
http://www.ipcop.org
(NAT - network address translation is a way of having several pc's or
internal network hiding behind a single ip address, good for sharing an
adsl or dialup line, it's a convenience component of many firewalls
(including both above) and it helps a bit by hiding the internal network
- but it's primarily not really a security feature).
The ipcop one is quite nice with web interface and intrusion detection
program (snort), the coyote one is good for quick small install (a
question and answer session builds you a boot floppy disk - yep it fits
on a floppy).
There are also others, these are just the ones we've used - and found
useful.
And on exposure of ib ports to the internet, basically don't do it -
it's best to be careful.
So restrict access to the ib/fb database to an applicaton server (it
could possibly be on the same box). In that application server hardcode
all the sql stmts to restrict the types of queries that the 'internet'
users can make, and if you include user entered fields in the sql stmts,
have a sensible limit check on the size of the sql stmt before you send
it to the db server. The only allow the users to talk to the application
server.
Cheers
Mark
---
Your database needs YOU!
http://www.firebirdsql.org
borland.public.ib.opensource 2 days ago, it hasn't appeared, persuming a
suff up and in case anyone was interested, (but it's not THAT
interesting) I've posted it here as well.]
Jorge Alvarez wrote:
> <snip>information
>
> Bill Todd wrote:
>>You can buy a hardware firewall for $100. I think they all use NAT
>>which I have read is very secure.
>
>
> Bill,
>
> Somewhat off-topic but I'm very interested: where can I find
> about this inexpensive hardware firewalls?A solution we've found useful is a cheap (< $100 recycled pc ) and one
>
of the simple fw purpose built linux distributions.
http://www.coyotelinux.com
http://www.ipcop.org
(NAT - network address translation is a way of having several pc's or
internal network hiding behind a single ip address, good for sharing an
adsl or dialup line, it's a convenience component of many firewalls
(including both above) and it helps a bit by hiding the internal network
- but it's primarily not really a security feature).
The ipcop one is quite nice with web interface and intrusion detection
program (snort), the coyote one is good for quick small install (a
question and answer session builds you a boot floppy disk - yep it fits
on a floppy).
There are also others, these are just the ones we've used - and found
useful.
And on exposure of ib ports to the internet, basically don't do it -
it's best to be careful.
So restrict access to the ib/fb database to an applicaton server (it
could possibly be on the same box). In that application server hardcode
all the sql stmts to restrict the types of queries that the 'internet'
users can make, and if you include user entered fields in the sql stmts,
have a sensible limit check on the size of the sql stmt before you send
it to the db server. The only allow the users to talk to the application
server.
Cheers
Mark
---
Your database needs YOU!
http://www.firebirdsql.org