[nycbug-talk] (no subject)
kacanski_s at yahoo.com
Sat Jul 14 14:15:24 EDT 2007
I have been heaving interesting discussions regarding security implementation of the multi tier web architecture. Long ago I used to be proponent of the fw per layer approach. This would boil down to fw before and between web tier and application and one between db or any other back end form of meta data silo(s). Through experience and lengthly troubleshooting sessions I am weary of FW and persistent connections and work around with socket_keepalive properties. I am specifically referring to apache and ajp proxy plugin but I saw number of production issues with real proxy servers and fw. These days I prefer to have a fw fronting some sort of load balancer on the unsecure subnet and to move web tier to private network without fw between it and app stack. Second instance of the fw I add between application portal and meta data silo. I see no gain in heaving web servers in the DMZ just to terminate http traffic on the DMZ zone. In my opinion possible exploits will be
executed against business logic and application content and/or "database layer" . The web tier is strictly being used to "proxy" dynamic content at this point via binary protocol.
Any views or comments?
Aleksandar (Sasha) Kacanski (NYUMC)
It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk