Re: DMZ design

Leythos wrote:
> In article <3v40jiF13hjo6U1@individual.net>, usenet-2005@planetcobalt.net says...
>> Leythos wrote:
>>> Port 1433 isn't going to allow access to Enterprise manager, and as
>>> long as your DB Server is patched, then allowing 1433 from the DMZ
>>> to LAN vial IP:PORT>IP:PORT won't compromise the network.
>>
>> And with one of the setups I described above, my network wouldn't be
>> compromised even *if* the webserver got compromised *and* there was
>> an unpatched vulnerability in the DBMS *and* an attacker had a 0-day.
>> Defense in depth.
>
> Wrong - If the database server in DMZ2 is compromised by a 0-Day
> exploit, and you've setup replication between the DMZ1 DB server, so
> that you have real-time information available, then the same 0-Day
> exploit will reach through and compromise that server too.

No. Simply because replication and web application use different
mechanisms to access the server. Besides, I didn't say anything about
real-time replication.

cu
59cobalt

-- 
"Another option [for defragmentation] is to back up your important files,
erase the hard disk, then reinstall Mac OS X and your backed up files."
--http://docs.info.apple.com/article.html?artnum=25668