On 23 June 2010 20:55, Michael Shadle <mike503@xxxxxxxxx> wrote: > I talked with a friend who actually had this implemented before and > banks had signed off on it after reviewing it. > > load balancer (irrelevant to the security piece) > > web server(s) - only accepts traffic to port 80/443. can only forward > requests on to the app server, one direction. > > app server(s) - processes the PHP/etc. has access to the > encryption/decryption keys. can only send established packets back to > the webserver, and traffic to the db. cannot connect outbound to the > net. > > db server(s) - stores the data. choose how you want to encrypt. they > did not encrypt data at rest in their setup, the bank would have > 'preferred' it but was not willing to buy the license for the > encryption plugin. however, the app tier could handle the > encryption/decryption. > > all machines were only accessable via VPN, not the WAN. > > due to that, assuming physical access is not an issue: > > if the webserver got exploited, it could only talk to the app server > using http. it has no access to the encryption key, nor the database. > only one direction of communication. if the app server somehow got > exploited (someone somehow got a trojan installed) it can't > communicate outbound, so unless they figured some creative way to make > the app server expose information through the open port only for the > webserver, it's useless. and to install the trojan, typically people > fetch remote files - well, the app tier can't communicate outbound. > > it's pretty damn secure for a web app. you could theoretically pair > the app server and db server on the same box - you could probably make > that work too. depends on how large you need to scale and the > architecture required. > > anyway... anyone have any comments or holes to poke in this theory? > I'm just wondering if this is a correct understanding: 1. plaintext data arrives on the web frontend. 2. It's sent to the app server 3. It's encrypted and sent to the DB server Where does the data go after step 3? Does encrypted data go back out to the app server? In which case, what's to stop me from exploiting the web-server and then sending *bad data/commands* to the app server? But maybe I'm taking this too far: are you only looking at security in terms of storage? I.e. is this merely a question of avoiding dumps of the data? Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php