That's one of the most universally true statements ever:
* Restricting connections to HTTP server port 80 and port 443 to a specific network is webadmin 101.
* Restricting connections to DNS server port 53 to a specific network is hostmaster 101.
And so on! Let's call this Mordac's Rule.
Not allowing the end users to access a DBMS at all, or only indirectly via a front-end application or web UI can be supported by the following arguments:
* Not providing a service is an excellent security idea. The disconnected computer is more "secure", and the powered off one is even more "secure".
* Providing a service via a front-end is much more "secure" than providing it via the base tool itself: because experience shows dramatically how much more "secure" PHP/... based application or web UI front-ends are than their DBMS back-ends.
* Regardless of the above points, insisting that all DBMS instance access be via front-ends and then only allowing those front-ends to connect to DBMS instances means delegating accountability for security issues to the front-end owners, and can be a career-security enhancing measure too for the DBMS owners, not merely enhancing overall system security by protecting a weak DBMS with a strong front-end.
:-) :-) :-)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds