Rajesh Kapur (rk****@mpr.org) writes:
We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that
suggests how SQL*Server can be used securely outside the firewall? I think
if I put SQL*server on it's own box and open it up only to the
applications on our web servers, we should be secure. However, I need
hard evidence.
SQL*Server? This is no stinkin' Oracle product! :-)
Security issues is not my speciality, but my initial reaction is the
same as your management: don't do it. Not because Microsoft are more
insecure than anything else (save that MS platforms are more popular to
target, as they are very common). But I think it is bad idea to put
anything outside a firewall that does not have to be there.
Of course, you can equip the SQL Server machine with a software firewall
such as ZoneAlarm or Kerio so that you can control which machines
that can access SQL Server. But all software can have bugs or be
misconfigured, and this might be exploited. I recall that I was
running SQL Server on my home machine with a blank password, but thought
I was safe, since I was running ZoneAlarm. Boy, I was wrong, ZoneAlarm
let connects through on that port, and one day I had an intruder in
my SQL Server that tried to invoke tftp. (Which ZoneAlarm alerted me on.)
--
Erland Sommarskog, SQL Server MVP,
so****@algonet.se
Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp 
