[Nottingham] Tunneling question.

Alex Tibbles alex_tibbles at yahoo.co.uk
Fri Mar 24 13:38:49 GMT 2006

--- Colin Saxton <colin.saxton at ntlworld.com> wrote:
> It can just give that extra level of security. The
> idea is to have the
> application server open the client proxy open up on
> the application
> server and wait for the db server proxy to connect
> to it...this way you
> don't open a direct connection through the firewall
> from the DMZ...its
> from behind the firewall into the DMZ that the
> connection is
> initiated...in fact there wouldn't be anyway to
> connect from the DMZ
> onto the DB Server. 

I might be wrong here, but it seems that you rely on
the same thing as allowing DMZ->db connections: that
the firewals preserve the routing, ARP etc. in the DMZ
so that the app server cannot spoofed. If the app
server address is spoofed in the DMZ, then both the
'normal way', and your new set-up fail. Both such
attacks are prevented by spoofing protection at the
external firewall (dropping anything inbound or
outbound to a private address, unless I'm forgetting
something.) Am I missing something?


Yahoo! Photos – NEW, now offering a quality print service from just 8p a photo http://uk.photos.yahoo.com

More information about the Nottingham mailing list