[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] best use of RaQ3i & RaQ3

Subject: Re: [cobalt-users] best use of RaQ3i & RaQ3
From: John Rood <john@xxxxxxxxx>
Date: Tue Jul 18 13:29:20 2000

On Mon, 17 Jul 2000, B. Newman wrote:

> I have one RaQ3 with 13.2 GB and one RaQ3i with 15.x GB HD.  I want to use
> one server for my main site and a few small virtuals, and one server to
> store records with MySQL.  My setup needs to be as secure as possible and
> the transfer of my site and records need to be done by the end of the week.
> Does anyone have any advice on the best way to set this up and which server
> to use for sites and database.  The database will contain sensitive info, so
> use of a firewall or any other security appliance or application will be
> needed if possible.  I have been informed that all work on the servers needs
> to remain in-house.
> Any advice on or off list will be greatly appreciated.
> 
> Thanks,
> B. Newman
> brettnewman@xxxxxxxxx

Hi Brett,

Using these two machines, the easiest way to create a reasonable secure
setup, is using the raq3i as the webserver and the raq3. You just hookup
the raq3 to the 2nd ethernet interface of the 3i, creating a small private
network. This way the database server isn't directly accessable from the
net, but the security stands and falls with the setup/programming on the
3i. If this box gets compromised, it's fairly simple to access the
database server and probably get mysql account info from one of the
scripts/programs used on the webserver. What a better setup might be, is a
small variation on the above one, but only with a firewall between the
raq3i and raq3, with a tunnel through it from the raq3i to the raq3. If
this setup is possible depends on your website setup and the parts of it
that need db access. The 'normal' parts of the site(s) that don't need db
access run on the raq3i (the front), the senstive parts that use db access
run on the raq3, on it's own webserver safely tucked away behind the
firewall. The db parts can be made available via a reverse proxy setup in
apache on the raq3i using mod_rewrite and mod_proxy (not installed by
default). This way it's pretty hard to distinguish between parts of the
site served by the raq3i or the raq3. There are various other setups, but
these two are the most simple (and cheapest setups) i guess. If you want a
really really really secure setup, i suggest you contact some consulting
agency that specializes in setups like this. They can tailor a solution
for your needs  and prolly give a guarantee too.

Best regards,
John

--
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!
--
John C. Rood
UNIX programmer/Database developer/System administrator
SFARC Networks, The Netherlands - http://www.sfarc.net

Follow-Ups:
- Re: [cobalt-users] best use of RaQ3i & RaQ3
  - From: Brett

References:
- [cobalt-users] best use of RaQ3i & RaQ3
  - From: B. Newman

Prev by Date: Re: [cobalt-users] Re: Upgrading to Apache 1.3.12 on RaQ3
Next by Date: RE: [cobalt-users] Re: equifaxsecure certs work on RaQ3i?
Previous by thread: Re: [cobalt-users] best use of RaQ3i & RaQ3
Next by thread: Re: [cobalt-users] best use of RaQ3i & RaQ3

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index