473,799 Members | 3,098 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SQL Server Sercurity Outside the Firewall ...

Hello,

We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that
suggests how SQL*Server can be used securely outside the firewall? I think
if I put SQL*server on it's own box and open it up only to the applications
on our web servers, we should be secure. However, I need hard evidence.

Thanks.
- Rajesh
Jul 20 '05 #1
2 2785
Rajesh Kapur (rk****@mpr.org ) writes:
We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that
suggests how SQL*Server can be used securely outside the firewall? I think
if I put SQL*server on it's own box and open it up only to the
applications on our web servers, we should be secure. However, I need
hard evidence.


SQL*Server? This is no stinkin' Oracle product! :-)

Security issues is not my speciality, but my initial reaction is the
same as your management: don't do it. Not because Microsoft are more
insecure than anything else (save that MS platforms are more popular to
target, as they are very common). But I think it is bad idea to put
anything outside a firewall that does not have to be there.

Of course, you can equip the SQL Server machine with a software firewall
such as ZoneAlarm or Kerio so that you can control which machines
that can access SQL Server. But all software can have bugs or be
misconfigured, and this might be exploited. I recall that I was
running SQL Server on my home machine with a blank password, but thought
I was safe, since I was running ZoneAlarm. Boy, I was wrong, ZoneAlarm
let connects through on that port, and one day I had an intruder in
my SQL Server that tried to invoke tftp. (Which ZoneAlarm alerted me on.)

--
Erland Sommarskog, SQL Server MVP, so****@algonet. se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
Jul 20 '05 #2

"Rajesh Kapur" <rk****@mpr.org > wrote in message
news:40******** *************** @newsreader.vis i.com...
Hello,

We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
Correction, there are security issues with ALL products.

If they are treating MS as somehow special (or rather Informix and MySQL as
immune from security issues) they are not doing their jobs.

including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that
suggests how SQL*Server can be used securely outside the firewall?
Why would you have it or any product outside a firewall? Seriously.
Properly you should have it in some sort of DMZ.
I think
if I put SQL*server on it's own box and open it up only to the applications on our web servers, we should be secure. However, I need hard evidence.
With SP3a a lot of the old security flaws are fixed, but basically if you
can reach the box from the outside world and have no firewall, then you're
just begging for problems. And not just in SQL, but in the OS.

Put up SOMETHING with some sort of access control, even if it's a router
with an ACL list that blocks ALL traffic to the SQL box and only permits
Port 80 traffic to your web servers.


Thanks.
- Rajesh

Jul 20 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
2219
Application with DB Server not having direct access
by: Chuck | last post by:
Here is my setup. Netgear Router with a webserver and database server NAT'd behind the firewall. Microsoft Windows 2000, IIS 5 - Web Server Microsoft Windows 2000, MySQL - Database Server What I would like to have is a web application served up off my WS (web server) and that application access my DS (db server) without
ASP / Active Server Pages
0
1615
How do I publish Cold Fusion Reports on a IIS 4.0 Server
by: MichelleB | last post by:
I have 3,000 reports (dynamically generated and include graphs) that were created from a Cold Fusion Server behind our firewall. I now need to publish the results (static information) from these reports outside of our firewall on an IIS 4.0 server. This outside server is only setup with the asp.dll and will not have any Cold Fusion components installed on it. Does anyone know how I can publish the results of the Cold Fusion Reports on...
ASP / Active Server Pages
12
1979
CDONTS not working on W2000 Server
by: tshad | last post by:
I am trying to run a test sending mail using CDONTS on my W2K3 machine. It works fine running from my WXP Pro, but I don't recieve the mail if run the W2K3 machine. Both machines have IIS configured essentially the same. ******************************************************************************************
ASP / Active Server Pages
6
2368
Inside firewall access to outside firewall MySQL server
by: dstewart | last post by:
I have 2 Suse 9.1 boxes with similar configurations. I'm in the process of moving some PHP code from one server (192.168.0.100) to another (192.168.0.102). MySQL is running on each server, and the same PHP code can access its respective localhost databases and make queries with no problem. However, the code on the old server (.100) can access a MySQL server (12.xx.xx.50) outside the firewall (192.168.0.1), while the code on the new...
MySQL Database
2
5992
binding SQL server to localhost?
by: tinbox | last post by:
Greetings all, I am a network security professional rather than a MS SQL admin, so I apologize in advance if this is a bit of a basic question for this list. I also cross-posted this to microsoft.public.sqlserver.server, so sorry if anyone's read it already. I know an admin setting up a SQL server that will only be accesible by a webserver running on the same host (not happy about running private vs publicly avaialable services on...
Microsoft SQL Server
2
5714
problem with webbrowser control/ webservice/ firewall client for isa server 2004
by: Miguel | last post by:
Hi, I'm developing an application in C# with Windows Forms for my company that is similar to the MSN Messenger. This application uses a webservice for registering users, etc... and as 2 webbrowser controls on it. Besides that i'm using the firewall client for isa server 2004 and it seems that the browsers aren't able to pass thru it... if i disable the firewall the browsers work fine, if i don't, the 2 browsers just stay there...
.NET Framework
2
2058
Help with WEB reference Windows Server 2003
by: Jeffrey Tate via DotNetMonster.com | last post by:
The error is: The proxy settings on this computer are not configured correctly for Web discovery. MSDN states that this is caused by: This error appears in the Add Web Reference dialog box if you are developing on a machine that is behind a firewall and a proxy server has not been explicitly specified for Internet Explorer connections. You need to explicitly specify the address and port of the proxy server on your network in order to make...
Visual Basic .NET
2
3046
Problem Connecting .NET app to SQL Server
by: orandov | last post by:
Hi, I am having a problem connecting my .net applications from the application server to the database server. When I run the application from my windows xp (sp2) box it works fine. When I try to connect via SQL Management Studio to the database server from the application server I get the same error. Here is the error:
Microsoft SQL Server
14
4062
How can I get the IP address of the host Web Server into a Session variable?
by: John Kotuby | last post by:
Hi all, I have a situation where a Web Server at an install site does not currently have a publically registered Domain Name associated with the site. This requires that the a user access the site from a remote (outside the LAN) browser using the IP address, as in http://192.35.78.234 . Currently in my code I use the following syntax to obtain the Root Web path which I then append as a prefix to Images and Links in external documents...
ASP.NET
0
9541
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10482
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10251
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
9072
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
7564
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6805
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
1
4139
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3759
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2938
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us