Re: PCI / AV / Linux DB Servers
- From: Tim Hall <tim@xxxxxxxxxxxxxxx>
- To: stephan uzzell <SUzzell@xxxxxxxxxx>
- Date: Fri, 31 Jan 2014 18:03:20 +0000
Hi.
Don't you have different network zones? I'm no network guy, but the
sort of thing we do is,
DB - In a zone that can not be accessed from an external location.
App Server - In a zone that can access the DBs (specific
machine-to-machine:port combinations only, not completely open) and
can be accessed by load balancers and reverse proxies in the DMZ.
DMZ - Reverse proxies and/or load balancers in the DMZ that can access
specific app servers on specific ports in the app server zone. No
direct access to DBs.
So users always access via the DMZ and never get directly into the
important stuff. With this all locked down to specific
machine-to-machine:port connections at the firewall level, it
minimizes (but not eliminates) what can go wrong. We don't run AV on
our Linux installations or our UNIX stuff.
No auditors have complained about this setup yet...
Cheers
Tim...
--
//www.freelists.org/webpage/oracle-l
Other related posts:
