The gist of this trend is to ask software vendors to put a stateful (normally hardware) firewall between the application server i.e. the code and the database server.

The reason for this is not based on any sane reason as far as GP Soft can tell. Normally the outside world is cut of from the database server because of a gateway firewall. Normally the incoming policy will only be to the application server.

That said corporate firewalls also tend to have policies for internal staff as well. Therefore why does there need to be an additional firewall between the application and the database.

In GP Soft's opinion this is not only overkill but completely non-essential. This in reality is a Sarbanes Oxley style "jumping through hoops" exercise which solves no problem at all. 

If I was an internal or external person looking to compromise the database I would first look to attack the application server for known exploits.

Why, well number one I know about the existence of the application server and therefore it is the obvious route for attack. Secondly I do not know of the existence of the database server and I am firewalled off anyway.

Which leads me to my final point, if we know the application server is the point of weakness, and the firewall is between the application server and the database, and there is a rule allowing the application server to see the database, then what is the point of the firewall being there.

If anyone can give GP Soft a good explanation on why a firewall should be between the application server and the database please tell us? 

_______________________________________________________________________________

Added point by GP Soft developer Szymon, the second firewall between the application server and the database is just in case the gateway firewall has been misconfigured. Fair point Szymon!

-------------------------------------------------------------------------------------------------------------------------------------------

Added by Phil an ex GP Soft man, and one of the early driving forces behind EduPro.

Regarding Szymons point (notice the funny use of numpty, which in Northern English means "stupid person".)

"not a fair point really  would be best to have a firewall check script to test your firewall at regular intervals to make sure you are not a numpty."

"depends on the size of the network, useful to have extra firewalls on a large net to prevent one point of failure/error bringing the whole infrastructure down. 1 webserver + 1 database with a firewall between seems a little bit of overkill if you ask me"

For amazing innovative new media marketing campaigns check out www.bluebarracuda.com. GP Soft would use them but it is just not in our budget :o(.