Re: Sources for Extranet Designs?

[Dragos Ruiu <dr () dursec com>]

On February 23, 2004 01:56 pm, Marcus J. Ranum wrote:
> Daniel Linder wrote:
> > Is there such thing as a SQL front end proxy?  I would think with more
> > security devices employing "layer 8" (yeech, marketing speak) filtering a
> > SQL security proxy that could be programmed with limits such as
> > databases/tables/columns, number of rows returned, etc this might be a
> > good first line of defense...
>
> Yeah, it's called "Oracle" ;)
>
> The principle behind proxies* is that they:
>         a) Are minimized (in terms of implementation)
>         b) Rigorously check for and exclude errors in their input
>         c) Implement a subset of an application protocol
>         -or-
>         Implement an application protocol with the ability to control
>                 operations to a subset of the protocol's ops
>         d) Does so only after a security analyst has spent actual
>                 brain-cycles thinking about the implications of
>                 allowing that operation through the proxy
>         e) Log transactions based on operations
>         f) Ideally are designed to run in a restricted environment
>                 if the underlying operating system permits such a
>                 thing

At CanSecWest this year Ulf Mattson will be presenting a paper on
SQL based IPS. No warranty implied, but I'll be looking forward to 
seeing what he's come up with.

cheers,
--dr

-- 
Top security experts.  Cutting edge tools, techniques and information.
Vancouver, Canada       April 21-23 2004  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards