如何通过防火墙向数据层发送安全请求

发布于 2024-09-17 10:01:09 字数 660 浏览 7 评论 0原文

我被要求用数据库中的一些数据填充闪存文件。我说:“太好了,我将编写一些与数据库对话并输出 xml 的 PHP。swf 可以调用该文件。”

然后我的老板告诉我,这个解决方案不符合 IS 的要求,我必须找到一种更安全的方法来做到这一点。啊!

我提出的解决方案是创建一些位于公司防火墙之外的业务逻辑。动作脚本将向该文件发出请求,该文件将向位于防火墙后面的中间层发送安全请求。中间层将通过连接到数据库并通过同一安全连接通过防火墙返回适当的数据来处理请求。然后业务逻辑输出 xml,大家都很高兴。

我已经绘制了我想要做的事情以使其非常清楚: http://twitpic.com/2kj0tk

以下是我的问题:

  1. 此解决方案是否符合行业最佳实践?
  2. 它会起作用吗?
  3. 我需要在每一层中编写哪些代码才能建立安全连接并通过防火墙传输数据?我想也许我可以使用 cURL,但我不知道这是否可以通过防火墙。如果可能的话,有人介意如何解决这个问题,并提供代码示例吗?
  4. 可能最终我不得不在 .NET 中编写解决方案。这将如何改变我的方法?4。
  5. 您还需要我提供哪些其他信息(如果有)来帮助解决此问题?

谢谢你们!

I've been asked to populate a flash file with some data from a database. I said, "Great, I will write some PHP that talks to the database and outputs xml. The swf can call that file."

My boss then told me that that solution wouldn't make the cut with IS, and I would have to find a more secure way of doing it. Ugh!

My proposed solution is to create some business logic that lives outside our corporate firewall. The actionscript will make a request to that file, which will send a secure request to a middle tier, which will reside behind the firewall. The middle tier will handle the request by connecting to the database and returning the appropriate data back through the firewall over the same secure connection. The business logic then outputs xml and everybody is happy.

I have diagrammed what I'm trying to do to make it very clear:
http://twitpic.com/2kj0tk

Here are my questions:

  1. Does this solution comply with industry best practice?
  2. Will it work?
  3. What code do I need to write in each tier to establish a secure connection and transfer data over that firewall? I thought maybe I could use cURL, but I don't know if this would work through the firewall. Would anybody mind relating how they would solve this, with code samples if possible?
  4. It may work out that I end up having to write the solution in .NET. How would that change my approach?4.
  5. What, if any, other information do you need from me to help solve this problem?

Thanks guys!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

烈酒灼喉 2024-09-24 10:01:09

根据您保护的数据类型以及 IT 部门的安全意识,“真正”的解决方案是将您的数据库服务器置于自己的防火墙后面(是的,在您的公司网络内部)。您的中间层将通过此防火墙使用标准协议与数据库进行通信。

您的中间层在“主”防火墙后面运行(这里可以有不同的级别,但最简单的是,这是您的网络和互联网之间的防火墙)。

您的 Web 服务器位于此“前”防火墙之外的 DMZ 中,因此所有进出它们的流量(包括来自互联网)都必须通过此前防火墙。

此时,您可以使用标准技术从网络服务器到中间层进行通信。然后,您的中间层使用标准技术与数据库进行通信。我同意让您的网络服务器直接与数据库对话并不是一个好主意。

我对老板的问题是“为什么原来的解决方案是一个坏主意?”。他们想要通过内部网络加密数据吗?或者只是网络服务器 ->数据库服务器连接很麻烦(我同意)?

Depending on the type of data your securing and how security conscious your IT dept is the "real" solution would be to put your database servers behind their own firewalls (yes, inside your corporate network). Your middle tier would talk to the database using standard protocols through this firewall.

Your middle tier runs behind your "main" firewall (there can be varying levels here, but at it's simplest this is the firewall that is between your network and the internet).

Your web servers sit in a DMZ off this "front" firewall so that all traffic to/from them (including from the internet) must go through this front firewall.

At this point you can use standard techniques to communicate from your webserver to your middle tier. Then your middle tier uses standard techniques to communicate with the database. I would agree it's not a great idea to let your web servers talk directly to the database.

My question to my boss would be "why is the original solution a bad idea?". Do they want data encrypted across the internal network? Or is it just the webservers -> DB Server connection that is bothersome (which I agree with)?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文