Re: PCI / AV / Linux DB Servers

On 31/01/2014 18:23, Uzzell, Stephan wrote:
>
> That's something we've discussed. However, we have some application
> servers (multi-customer environment) where the application servers are
> available via public internet. This is primarily for customers that
> are not large enough to invest in MPLS or a VPN. While we are
> absolutely on board with removing the internet access from our DB
> servers, I don't think we can cut the entire datacenter off.... So
> with some servers necessarily exposed, how do we protect the DB
> servers (my area of concern)?
>

I've never seen a corporate data center directly exposed on Internet, but that's only my personal experience.
I'm not a network & security guy, but as Tim already pointed out, the first security layer is usually the DMZ
and where external-facing services are exposed through modern network devices that combine security,
load balancing, content switching, SSL acceleration and IDS (Intrusion Detection System).
Access is usually permitted by exact server:port-to-server:port mapping and there are often additional
firewalls between FE and BE.
And that's not all. Every server is hardened at OS level, with the principal of least privilege in mind.
Regarding your last question, in a nutshell, only trusted hosts should have access to your database
servers. If the cost of the specialized hardware is considered too high (?!), the bare minimum I can think of,
is to use the OS native tools like SeLinux and IPTables.

Regards
Dimitre

--
http://www.freelists.org/webpage/oracle-l