Professional Web Applications Themes

Same Subnet Priviledges Restrictions - MySQL

Short Description: We have a new customer accessible server that we want on the same subnet as our other workstations but want to keep someone from being able to hack into our network by someone hacking into the customer server and guessing login parameters for one of our more powerful user accounts. Long Description: We have a custom (non-web) program that runs on each users workstation that talks with our mysql server So we have accounts with host entries of 10.2.1% Now, the tricky part We setup a server for customers to access our web-interface version of the same system. ...

  1. #1

    Default Same Subnet Priviledges Restrictions

    Short Description:

    We have a new customer accessible server that we want on the same
    subnet as our other workstations but want to keep someone from being
    able to hack into our network by someone hacking into the customer
    server and guessing login parameters for one of our more powerful user
    accounts.

    Long Description:

    We have a custom (non-web) program that runs on each users workstation
    that talks with our mysql server

    So we have accounts with host entries of 10.2.1%

    Now, the tricky part

    We setup a server for customers to access our web-interface version of
    the same system.

    We created a separate mysql account for the web server to use in it's
    php code to access the server with restricted priviledges

    But our concern is that if someone were to somehow hack into the
    server, and be able to figure out one of our other mysql user accounts
    password, they could gain full access to our database

    So we put our new customer web server on a separate subnet. So all of
    our other accounts have a host of 10.2.1%, and the customer web server
    has a host of 10.2.3.%

    So this seems to solve our security problem

    However, now communication between our customer web server and the main
    server on separate subnets is horrifically slow

    Our ISP config'd the router for the 2nd subnet, and they say it's setup
    right, and that the slowness is an application issue. (I put the
    customer server back on the same subnet and it went back to full speed
    communications with the mysql server)

    So I'm going back to MySQL, to see if there is someway to have the
    customer server and our main server on the same subnet without the
    security risks

    I thought if I made an entry in the HOSTS table containing every
    address but the customer server address that I could work something out
    that way. But I wasn't able to get it to work at all.

    Is there some other way of handling this security dilema, or am I
    completely thinking wrong about this?

    zacware Guest

  2. #2

    Default Re: Same Subnet Priviledges Restrictions

    >Long Description:
    >
    >We have a custom (non-web) program that runs on each users workstation
    >that talks with our mysql server
    >
    >So we have accounts with host entries of 10.2.1%
    Does that mean 10.2.1% or 10.2.1.% ? There is a difference.
    Consider an attempted access from 10.2.10.2 .
    >Now, the tricky part
    >
    >We setup a server for customers to access our web-interface version of
    >the same system.
    >
    >We created a separate mysql account for the web server to use in it's
    >php code to access the server with restricted priviledges
    >
    >But our concern is that if someone were to somehow hack into the
    >server, and be able to figure out one of our other mysql user accounts
    >password, they could gain full access to our database
    >
    >So we put our new customer web server on a separate subnet. So all of
    >our other accounts have a host of 10.2.1%, and the customer web server
    >has a host of 10.2.3.%
    Describe the setup here. What host/router is on both subnets?
    What's the default route on the customer web server pointed at?
    >However, now communication between our customer web server and the main
    >server on separate subnets is horrifically slow
    How slow? Weeks?

    Try pinging from the customer to the main web server and vice versa.
    What are the ping times? Under 5ms is nice for a LAN.

    One thing to check: on the main server, do a reverse DNS lookup
    of the IP address of the customer web server. How long does it
    take? If it quickly gives an answer or quickly fails, this isn't
    a problem. If it fails SLOWLY, after say 45 seconds, this will be
    a problem when MySQL does a reverse DNS lookup when the customer
    web server tries to log in to MySQL, and will result in AWFUL
    response time delivering web pages. Set up your nameserver to be
    authoritative for the new subnet.

    Also consider the possibility of a half duplex/full duplex or speed
    mismatch on Ethernet. Somehow it manages to work a little, but if
    one end thinks it's 100M half and the other end thinks its 100M
    full, you can end up with speeds worse than a 56K modem. This is
    a likely problem only if you've been reconfiguring interfaces to
    set up the second subnet.
    >Our ISP config'd the router for the 2nd subnet, and they say it's setup
    >right, and that the slowness is an application issue. (I put the
    >customer server back on the same subnet and it went back to full speed
    >communications with the mysql server)
    >
    >So I'm going back to MySQL, to see if there is someway to have the
    >customer server and our main server on the same subnet without the
    >security risks
    MySQL will use the most specific login entries available. So, for
    example, if you have a login for www10.2.1.0/24 with lots of
    permissions (I think you have to actually write this as
    www10.2.1.0:255.255.255.0), and another one for www10.2.1.86 (the
    customer web server) with less permissions, Someone logging in from
    the customer web server gets fewer permissions.

    Another way to do this is simply to hand out minimum permissions needed
    to each machine individually, leaving out logins or the customer web
    server where they aren't needed.
    >I thought if I made an entry in the HOSTS table containing every
    >address but the customer server address that I could work something out
    >that way. But I wasn't able to get it to work at all.
    If you leave it out of the HOSTS table it will likely try to resolve
    it via DNS, which, if you don't have a DNS server authoritative for
    that subnet, may end up having to time out.
    >Is there some other way of handling this security dilema, or am I
    >completely thinking wrong about this?
    Gordon L. Burditt
    Gordon Burditt Guest

  3. #3

    Default Re: Same Subnet Priviledges Restrictions

    Thanks for the reply!
    > Does that mean 10.2.1% or 10.2.1.% ? There is a difference.
    > Consider an attempted access from 10.2.10.2 .

    I meant to write 10.2.1.%, not 10.2.1%. Ooops Sorry.

    > >However, now communication between our customer web server and the main
    > >server on separate subnets is horrifically slow
    >
    > How slow? Weeks?

    To give an example, to copy of 5MB file form our main server to the
    customer server on the new subnet, it takes 10-15 seconds, when the
    customer service is on the same subnet, it only takes less than 1
    second (just as an example, everything is slower)

    Our ISP, who manages our router for us, says it's not their issue,
    although they say that all the time, and it frequently turns out to be
    their fault afterall. I'm just trying to get it working any way I can
    since our sales department is going nuts.
    > MySQL will use the most specific login entries available. So, for
    > example, if you have a login for www10.2.1.0/24 with lots of
    > permissions (I think you have to actually write this as
    > www10.2.1.0:255.255.255.0), and another one for www10.2.1.86 (the
    > customer web server) with less permissions, Someone logging in from
    > the customer web server gets fewer permissions.
    >
    THIS IS EXACTLY WHAT I'D LIKE TO DO AS A TEMPORARY FIX, BUT I CAN'T GET
    IT TO WORK. IT SEEMS THAT WHEN I DO THIS, THE CUSTOMER SERVER USES THE
    HIGHEST PERMISSIONS RATHER THAN THE LOWEST. Then again, I've been up
    for 18 hours straight working on this so I might be doing something
    wrong!

    zacware Guest

Similar Threads

  1. Deny conections via subnet
    By rfiller in forum Macromedia Flash Flashcom
    Replies: 0
    Last Post: June 23rd, 01:36 PM
  2. manipulate Win2K IP/subnet/DNS?
    By Chris McMahon in forum PERL Beginners
    Replies: 0
    Last Post: September 19th, 08:00 PM
  3. multiple NIC / same subnet
    By ssk in forum Linux Setup, Configuration & Administration
    Replies: 1
    Last Post: July 29th, 09:46 AM
  4. Multiple interfaces in same subnet
    By Sandeep in forum AIX
    Replies: 2
    Last Post: July 25th, 09:01 AM
  5. Cross-Subnet Browsing
    By Bob Simon in forum Windows Networking
    Replies: 0
    Last Post: July 16th, 03:53 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139