[nycbug-talk] (no subject)

Aleksandar Kacanski kacanski_s at yahoo.com
Sat Jul 14 14:15:24 EDT 2007


Hello,
I have been heaving interesting discussions regarding  security implementation of the multi tier web architecture. Long ago I used to be proponent of the fw per layer approach. This would boil down to fw before and between web tier and application and one between db or any other back end  form of meta data silo(s). Through experience and lengthly troubleshooting sessions I am weary of FW  and persistent connections and work around with socket_keepalive properties. I am specifically referring to apache and ajp proxy plugin but I saw number of production issues with real proxy servers and fw. These days I prefer to have a fw fronting some sort of load balancer on the unsecure subnet and to move web tier to private network without fw between it and app stack. Second instance of the fw I add between application portal and meta data silo. I see no gain in heaving web servers in the DMZ just to terminate http traffic on the DMZ zone. In my opinion possible exploits will be
 executed against business logic  and application content and/or  "database layer" .  The web tier  is strictly  being used  to "proxy" dynamic content at this point via binary protocol.

Any views or comments?
Regards,

Aleksandar (Sasha) Kacanski (NYUMC)





 
____________________________________________________________________________________
It's here! Your new message!  
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20070714/cb749595/attachment.htm>


More information about the talk mailing list