[Nottingham] Tunneling question.

Colin Saxton colin.saxton at ntlworld.com
Fri Mar 24 01:08:00 GMT 2006

On Thu, 2006-03-23 at 15:47 +0000, Michael Erskine wrote:
> What's wrong with allowing a (secure) connection through the firewall from the 
> application server to the DB server? Looks like you're making work for 
> yourself in duplicating the job of the firewall.
> Regards,
> Michael Erskine.

It can just give that extra level of security. The idea is to have the
application server open the client proxy open up on the application
server and wait for the db server proxy to connect to it...this way you
don't open a direct connection through the firewall from the DMZ...its
from behind the firewall into the DMZ that the connection is
initiated...in fact there wouldn't be anyway to connect from the DMZ
onto the DB Server. 

Not only does the client proxy take connections but it also kicks off
the application server which will only start with a valid certificate
sent from the server proxy...The server proxy will also send down
correct passwords over ssl for the application server to then connect
through the socket itself into the DB server behind (or any service for
that matter not just a db socket). What this means is that if someone is
to get into the DMZ they can't port scan servers through the second
firewall only the client proxy will have a specific address open which
can be dropped every few minutes and changed by the server proxy this
way your sockets become a moving target...

You may say that I am being paranoid but I think that its worth it!
I don't think that there is anything out there that will do this...I
will probably end up writing it. I have some code in place that I can
start using so It shouldn't take too long to implement.

More information about the Nottingham mailing list