Is this newspeak that only allows strictly defined sql's accross the
link in existance, or is it just theory?

In reply to the actual question, I think netbsd would be great for
this.  You could run the database chrooted as well as apache (possibly
in separate chroots using a virtual ip to talk).  I would recommend a
hybrid IDS like prelude since it integrates system and network IDS. 
Encrypt your cgi setup files since they have a bad habit of storing
database passwords, etc, in plaintext.  This is a problem I am
currently working to overcome in php with blowfish, but cgd might not
be a bad solution.
For logging, nn append-only log file might be close in place of a
dedicated logging server.


On Fri, 25 Mar 2005 17:23:34 -0500, Steven M. Bellovin
<smb@cs.columbia.edu> wrote:
> In message <1c42f0e050325140223d1bb1@mail.gmail.com>, Amadeus Stevenson writes:
> >Hello all,
> >
> >I've been pondering security for a web server + database server
> >recently, in order to make it as secure as possible.
> >
> >The obvious things for me were:
> >
> >-database server accessible only from web server via local network
> >-apache chrooted
> >-tried-and-tested versions of apache and cgi software (no new exploits
> >appearing)
> >-ipfilter block all default, allow in www with keep state
> >-securing cgi for code injection etc. (probably biggest area of
> >potential weakness)
> >
> >Is there anything else you could do? Password rotation? What would you
> >do if you had to run, say, a security-critical (eg. a bank or paypal)
> >system? Would you use netbsd? Why not (if so)?
> >
> >Sorry if this is the wrong group - I'm thinking about netbsd for this
> >as for me it's stripped down service wise to a minimum as it is.
> >
> 
> You don't need password rotation, because you don't need passwords.
> Well, it wouldn't hurt to have a root password, but the groups that
> apache and the db run in shouldn't be in a group that can use 'su'.
> 
> Ideally, you'd use two machines; put apache on one and the db on the
> second.  Ideally, both machines have two NICs:
> 
> Internet --- apache --- db --- back end
> 
> Have very strict ipfilters on both machines.  Don't speak anything as
> powerful as sql over that link; instead, it should be a very
> narrowly-defined application-specific language.  My usual term for that
> language is "newspeak", named after Orwell's 1984: the language where
> it was impossible to think a disloyal thought.  Here, it should be a
> language where you can't utter an insecure thought.  Watch out for sql
> injection attacks.  Run regular scans using something like tripwire,
> though that's hard to do properly from the suspect machine.  Striclty
> control access to either machine -- ssh only, via public key only
> (watch for the @#$%^ PAM configurations if you're running -current),
> and have a audit trail, possibly on a third machine that runs nothing
> but syslogd.
> 
> And most important of all, watch lots of mailing lists for security
> reports on anything and everything to do with your system.
> 
> As for using NetBSD -- for these purposes, it's likely no better and no
> worse than any other open source system.  The flaws are likely to be in
> the applications, and Apache and your CGI scripts will be about the
> same on any platform.
> 
>                 --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
> 
> 


-- 
_Matt