Raphael Melo de Oliveira Bastos Sales wrote:
He claims that if someone invades my machine, it will have direct
access to all data. That I have to distribute the database, put it in
another machine and have the web application access that database over
the network. I feel this is a bit overkill. Not only it would force
the data travel through the network, slowing it down, but would also
increase the complexity of the security layout, forcing to make the
two machines very secure, unstead of just one of them. Besides, I
might be wrong, but I feel that a Local Socket is faster and safer
than Corba trasmitting data over the internal network.
If anybody has any comments, I'd be more than happy to hear it.
first, on the issue of distributing, yes, you will have a nominally more
secure application. This assumes of course that the attacker cannot
take any part of your application and use it against you by accessing
the database themselves.
the interesting paradox is that by moving your application to another
machine and using a network between them for communicating data, the
application usually runs faster.
Think carefully about the RPC mechanism. Don't try to reinvent the
wheel with your own socket connection because you will spend a lot of
time getting it right and validating it when you could be doing other
things that are more fun, productive, and impressing your boss with your
lack of "not invented here" attitude.
corba is complex to get started but it is one of the faster RPC
mechanisms available (if memory serves). XML RPC is trivially easy to
use but is much slower because of XML. Sun RPC. Well, it's a gray
beard. Try not to use it.
On the security profile, don't sweat it. The best you can do is set out
the local machine firewalls to deny access from each other except for
the database connection. ssh should only be permitted from your green
network. Everything else really depends on what you need exposed and where.
connection security can be handled with SSL. Many database engines
support this (if memory serves).
---eric
--
gentoo-user@gentoo.org mailing list
