Alaska Software Inc. - WAA Safety issue
Username: Password:
AuthorTopic: WAA Safety issue
Toma GromWAA Safety issue
on Tue, 04 Jul 2006 11:39:44 +0200
Hello!
We are considering in making a part of application with WAA (for example: 
clients can view their orders ). So we have some questions, mostly for 
database security.
What is the security risk at all?
Is the database accessible in other way than through WAA?
Is it possible to have a database in other directory than the web page 
itself at all?

Thank you for your time and answers!

Best regards,
 Tomaz Grom
Sander Elias Re: WAA Safety issue
on Tue, 04 Jul 2006 12:30:48 +0200
Hi Tomaz,

>We are considering in making a part of application with WAA (for example: 
>clients can view their orders ). So we have some questions, mostly for 
>database security.
>What is the security risk at all?
>Is the database accessible in other way than through WAA?
>Is it possible to have a database in other directory than the web page 
>itself at all?

a lot is depending on witch server software you choose. in most cases
it is apache or IIS. I would not recommend IIS tough! if there is a
choice, go for apache.
if you put your database files inside the HTML root (the place where
your index.html resides, or a directory below that.) they are up for
grabs. NEVER put them there, unless you don't care if your DBF's are
up for grabs.

if they ore not in the root, they are as secure as your server is.
there are way to much variables on this to go into that in depth here.
but if you have an OK firewall (not all are equal!) and a good anti
virus program, it's not such a big risk. but never take safety for
granted!

you can even go further, and put your waa-app, and the DBF's on a
different system, witch is even safer.

if you placed your DBF's outside off the HTML-root, and the rest off
the security is OK, only then you can assume that WAA is the only
program with outside access to your DBF's 


Regards
Sander Elias

-------------------------------------------------------------
xbHCL (http://www.xbHCL.com) the xbase HTML command layer
PBIH  (http://pbih.eu)       Polar Bear International Hosting
-------------------------------------------------------------
also a member off the XXP (http://www.xxp.nl)
Tomaz GromRe: WAA Safety issue
on Wed, 05 Jul 2006 15:16:36 +0200
Thank you very much, Mr. Sander for your comprehensive answer on really 
critical issue, as safety is.

Best regards

Tomaz
Thomas Braun
Re: WAA Safety issue
on Mon, 24 Jul 2006 11:13:50 +0200
Toma¾ Grom wrote:

> We are considering in making a part of application with WAA (for example: 
> clients can view their orders ). So we have some questions, mostly for 
> database security.
> What is the security risk at all?
> Is the database accessible in other way than through WAA?
> Is it possible to have a database in other directory than the web page 
> itself at all?

I may be a bit late (just came back from vacation ... but
nevertheless...

Security is an illusion... you first need to define against what kind of
attack(s) you need to secure the WAA database server - then you need to
find someone with the knowledge to implement your needs in hard- and
software.

A relatively secure setup would be a public web server only with the
gateway (if the application needs to be accesible on the public internet)
and the WAA server with all the databases "inside" guarded by a paket
filter which only allows traffic between the web server and the WAA server.

This way, even if the web server is being compromised, the WAA server
should be still secure (more secure as if the gateway and WAA ran on the
same public machine)

Thomas