General discussion


Web-based Database Security

By TomSal ·
My company is deep into the development phase of the most advanced, most ambitious database system (we actually call it an operations system - because its way more than just a database) in the history of our company - and quite possibly our industry(Maintenance Management Services).

Its my job to secure this thing once it goes live - since it will be accessible through the web, which obviously means "to the world".

I want the transactions encrypted with SSL 128 bit, in the most cost effective way - with a vendor who is known for quality service.

Since I've noticed there are a few vendors that offer digital certificates - which one do you like most and why?

In addition, how do you feel about Apache as a secure web server for such an important "operations system"? Personally I feel more comfortable with it than IIS but I wanted to know what the general consensus is.

- Thanks in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Each CA issuer is different

by BR-TR In reply to Web-based Database Securi ...

You really need to look at certificate issuers according to your needs.
Some, like Verisign, issue certificates at a flat /per cert rate that is good for businesses that don't know their upfront demand and need to purchase them on an ongoing basis.
Others, like Entrust, work on selling you a PKI infrastructure. It has a large upfront cost, but you get to control the whole operation, and it it might be cheaper in the long run if you need a lot of certificates.

YOur description sound closer to the Entrust picture, put you need to talk with each of Verisign and Entrust (as well as Thawte) to confirm what they can do for you.

Collapse -

Web-based Database Security

by POLtrup In reply to Web-based Database Securi ...

Since it sounds as though the project is already under way, the preferred web server platform will be driven by compatability with what you've already got on your plate... If you've built the datastore on an MS platform, your cheaper/easier solutionwould be to continue in that direction on the web (follow MS's IIS security checklist to the "T"!!!).

Apache/PHP is now fairly well supported in both MS and Unix platforms, and IMHO the better choice with it riding on a unix-base. With PHP, you *can* reach back to an MS server (unix-ODBC call-outs seem to be the generally preferred consensus).

Either way, your web server should *NOT* be the DB server!! Place the web server in a DMZ and the DB server behind the wall with restricted DB-only access to the DB server from *only* the web server
As for certificates... Entrust/Verisign/ provide a default trusted entity in most browsers. However, there's nothing saying you can't generate your own certificate... IIS and Apache (with SSLeay or mod_SSL) both support certificate generation. The drawback is that the client will be prompted with a question... "Are you willing to trust this host as being who he says he is?..." The client can then accept your server's certificate for just this session, or until it expires... it's up to the client.

Related Discussions

Related Forums