The DMZ, DBI, and CGI

[airmoti]

Hi,
This is a high level question that I hope someone already has had to deal with.

We are implementing our new webservers in a separate DMZ network. Our admins are not letting us use DBI from these networks to access our databases back in our normal network for security reasons. So our new CGI programs cannot use DBI since the port is shut off! This is to prevent access from the DMZ to our database tables in case the DMZ becomes compromised etc....

How do you handle accessing the databases in the non-DMZ network? Messaging middleware is an option.

Is what the network admins doing overkill? Is there some alternative that can be provided to them to allow DBI calls in a more secure fashion? I'd be curious what other shops have done.

 

[siberian]

1)Yes your admins are overzealous. An admins job is to SUPPORT the development staff, not dictate to it. They should be working with you to find a resolution, not just put up a wall of silence.

2) If I could not use DBI I would use web-services to get the data off a non-dmz web-server running on port 80 that can hit the Database. This is pretty much the same as DBI directly but you have one more point of control.

Maybe you can con them into letting you run a 'mirror' database on the dmz

 

[tviman]

Siberian is right on the mark. The Admin's job is EXACTLY the same as a customer/vendor relationship - you being the customer and Admin being the vendor - and as the old Chevron slogan said - "Everything is YES at Cheveron" must be the same slogan for your Admin people.

There's always a better way. The fun is trying to find it!