[nycbug-talk] (no subject)
kacanski_s at yahoo.com
Sun Jul 15 09:48:33 EDT 2007
--- Marc Spitzer <mspitzer at gmail.com> wrote:
> On 7/14/07, Jonathan Vanasco <nycbug-list at 2xlp.com>
> > On Jul 14, 2007, at 4:45 PM, Marc Spitzer wrote:
> > > Looks reasonable. The only thing is you need to
> also have a
> > > application level firewall in the mix. A proxy
> firewall to inspect
> > > all inbound http/s traffic for bad things ,
> > that's always good.
I am counting on the application level firewall,
specifically between apps and database sources. What
concerns me is web to app layer. Using specialized
bridges to pass through dynamic content is something
that I prefer to leave it to run without being
inspected by the fw.
> > > sql injection and out of bounds values(ie what
> happens when I
> > > order -3
> > > TVs) come to mind.
> > that is really really bad. it creates a false
> sense of security.
> > its a good thing to have, but your underlying
> webapp should be able
> > to handle that ( ie, always use bind with sql,
> escape / validate
> > input, etc ). if you're an admin, and you do that
> to safeguard
> > yourself against bad programmers -- great. but
> if you're a
> > programmer, you shouldn't know/expect any of that
> to exist.
> > thats just a sore spot for me.
I am firm believer that you need to do a good job on
the app stack and solid amount of profiling and
regression testing. I also like to audit application
stack, instead of terminating http protocol in the
DMZ and declaring that web tier is isolated and we are
"now" protected. Ignorance is a bless, but I do not
need to deal with folks like that on the daily basis,
specially when they represent security policies.
> It is part of defense in depth. Face it people
> screw up all the time,
> myself included, and having having 2 ways to be
> "safe" is better then
> 1. Also things like -3 TV's should be checked by
> unit tests before it
> ever gets to production. I think that most problems
> are caused by a
> lack of discipline not ignorance or malice.
> Especially when deadline
> loom people can be pressured into doing things that
> may be less then
A side from some fancy filtering appliance that can
detect signatures of possible malicious attack by
expecting a packet, again I see no benefit of heaving
packets going through the stateful appliance between
web and app tier.
> > On Jul 14, 2007, at 2:15 PM, Aleksandar Kacanski
> > > Through experience and lengthly troubleshooting
> sessions I am weary
> > > of FW and persistent connections and work
> around with
> > > socket_keepalive properties. I am specifically
> referring to apache
> > > and ajp proxy plugin but I saw number of
> production issues with
> > > real proxy servers and fw.
> > i don't know about the ajp proxy plugin. apache +
> keepalive can
> > create lots of issues though.
> > i do a lot of mod_perl programming, and keepalive
> can often jam the
> > whole damn server , which makes me want to
> FOI)(@*#@#* break
> > apache. to combat that, i run nginx on port 80
> and then proxy to
> > apache when needed. nginx can handle the
> keepalive requests without
> > blocking, and a keepalive between apache & nginx
> makes stuff run even
> > faster.
> That is good to know
> Freedom is nothing but a chance to be better.
> Albert Camus
> % NYC*BUG talk mailing list
> %Be sure to check out our Jobs and NYCBUG-announce
> %We meet the first Wednesday of the month
--Aleksandar (Sasha) Kacanski
Need Mail bonding?
Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users.
More information about the talk