 | |
#11
 
| |||
| |||
|
Re: New to MySql -
03-21-2011
, 08:18 PM
|
On 3/21/2011 4:57 PM, Dr.X wrote: .... In general, unless there is a need for the system to be accessed from another machine, security-conscious people keep the MySQL port closed to the outside world. It's also possible to open it to one other machine if, for instance, you have a web server on one machine and MySQL on another, but that's not as common. |
machine (maybe web server).
Quote:
|
As for not accepting the gig - you know better than anyone your experience and capabilities. Personally, I find it rather refreshing to see someone turn down a job because they don't feel qualified; too many times I've seen people who know absolutely nothing about some technology take a gig and try to learn on the job. |
trouble performing or possibly cause the client more greif. I'm a
fast learner, but I also know when it comes to securing some one elses
data, fast could come at a big cost if I inadvertanly skim over
something I should have taken a little more time with.
Thank you all for your help.
-Dr.X
#12
| |||
| |||
|
|
It is not that uncommon to expose the MySQL port to *your LAN*. This is especially true if your SQL server and Web server would otherwise have to be on the same machine, swapping each other and slowing things down, and you need now or expect to need the performance from using separate machines. Good practice would be to have a firewall (no, I don't mean one running on a Windows system. It's likely to be part of a Cisco router, and I don't mean one of those home $50 routers.) between your LAN and the outside Internet, and block incoming connections for MySQL from the outside. Http connections would be allowed through to the public web server. This same firewall would prevent anything claiming to be from your LAN but coming *IN* from the outside Internet from getting in. |
firewalls and routing is done carfully by myself. Web, smtp, pop, all
routed properly to the various machines that handle that. Just
thought sql was done the same way, but I can see there probably isn't
any reason to do that. I could just keep it closed and have the web
servers access it on the lan side. I can still get to it directly via
remote desktop but I think I'll use vpn to work with it from home.
Quote:
|
Note that it is possible to have MySQL restrict logins to a minimum number of machines on your LAN. Use this feature. It is also possible to have a MySQL login used by a web server grant only read-only permissions to the MySQL tables for applications that don't need to alter tables. |
-Dr.X
#13
| |||
| |||
|
|
Dr.X wrote: On 3/20/2011 9:45 PM, Jerry Stuckle wrote: Next, ignore TNP. He's a well-known troll with no real programming experience. Well, troll or not, he did have some good advice on what to look for. I'll keep an eye on him anyways :-D The troll is Jerry. |
attached to it :-)
-Dr.X
#14
| |||
| |||
|
|
On Mon, 21 Mar 2011 21:08:17 +0000, The Natural Philosopher tnp (AT) invalid (DOT) invalid> wrote: Dr.X wrote: On 3/20/2011 9:45 PM, Jerry Stuckle wrote: Next, ignore TNP. He's a well-known troll with no real programming experience. Well, troll or not, he did have some good advice on what to look for. I'll keep an eye on him anyways :-D The troll is Jerry. I wouldn't care to use nntp if there wasn't some sort of fun factor attached to it :-) -Dr.X Ok, sounds like you are sharp enough to work out where its at. |
You have been warned...;-)
#15
| |||
| |||
|
|
My security concern was more about exposing the sql port. I know there are always security risks when you expose any port, but for some services it is necessary (eg; pop, smtp). In this case, the only service running will be MySQL. How does the big boys do it? Do they only use MySQL as a back end so no one can directly connect to it? |
without exposing anything else in the network.
--
Erick
#16
| |||
| |||
|
|
Dr.X: My security concern was more about exposing the sql port. *I know there are always security risks when you expose any port, but for some services it is necessary (eg; pop, smtp). *In this case, the only service running will be MySQL. *How does the big boys do it? *Do they only use MySQL as a back end so no one can directly connect to it? They may consider placing it in a DMZ, so the server will be accessible without exposing anything else in the network. -- Erick |
Here is a fairly descent looking network topology. Note that there is
no direct access from the internet to the database server - nor should
there be... Although this paper is somewhat dated (circa 1998), it
still gives you a pretty good idea of how things should be set up. I
am not endorsing this paper, just found it to look like a lot of
systems/networks I have seen over the years.
http://www.cs.kent.edu/~javed/DL/web/98800111.pdf
#17
| |||
| |||
|
|
On Mar 22, 2:47 am, "Erick T. Barkhuis"<erick.use-... (AT) ardane (DOT) c.o.m wrote: Dr.X: My security concern was more about exposing the sql port. I know there are always security risks when you expose any port, but for some services it is necessary (eg; pop, smtp). In this case, the only service running will be MySQL. How does the big boys do it? Do they only use MySQL as a back end so no one can directly connect to it? They may consider placing it in a DMZ, so the server will be accessible without exposing anything else in the network. -- Erick Here is a fairly descent looking network topology. Note that there is no direct access from the internet to the database server - nor should there be... Although this paper is somewhat dated (circa 1998), it still gives you a pretty good idea of how things should be set up. I am not endorsing this paper, just found it to look like a lot of systems/networks I have seen over the years. http://www.cs.kent.edu/~javed/DL/web/98800111.pdf |
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================
 |
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.3
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.