SQL Server Sercurity Outside the Firewall ...

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Rajesh Kapur

    SQL Server Sercurity Outside the Firewall ...

    Hello,

    We use Informix and MySQL on linux/unix to drive our web application.
    SQL*Server is used only for backend enterprise applications within the
    firewall. I am trying to get the management to use SQL*Server outside the
    firewall. They tell me there are security issues with Microsoft products,
    including SQL*Server, that make it vulnerable to attacks outside the
    firewall. Can someone please point me to white papers/documentation that
    suggests how SQL*Server can be used securely outside the firewall? I think
    if I put SQL*server on it's own box and open it up only to the applications
    on our web servers, we should be secure. However, I need hard evidence.

    Thanks.
    - Rajesh


  • Erland Sommarskog

    #2
    Re: SQL Server Sercurity Outside the Firewall ...

    Rajesh Kapur (rkapur@mpr.org ) writes:[color=blue]
    > We use Informix and MySQL on linux/unix to drive our web application.
    > SQL*Server is used only for backend enterprise applications within the
    > firewall. I am trying to get the management to use SQL*Server outside the
    > firewall. They tell me there are security issues with Microsoft products,
    > including SQL*Server, that make it vulnerable to attacks outside the
    > firewall. Can someone please point me to white papers/documentation that
    > suggests how SQL*Server can be used securely outside the firewall? I think
    > if I put SQL*server on it's own box and open it up only to the
    > applications on our web servers, we should be secure. However, I need
    > hard evidence.[/color]

    SQL*Server? This is no stinkin' Oracle product! :-)

    Security issues is not my speciality, but my initial reaction is the
    same as your management: don't do it. Not because Microsoft are more
    insecure than anything else (save that MS platforms are more popular to
    target, as they are very common). But I think it is bad idea to put
    anything outside a firewall that does not have to be there.

    Of course, you can equip the SQL Server machine with a software firewall
    such as ZoneAlarm or Kerio so that you can control which machines
    that can access SQL Server. But all software can have bugs or be
    misconfigured, and this might be exploited. I recall that I was
    running SQL Server on my home machine with a blank password, but thought
    I was safe, since I was running ZoneAlarm. Boy, I was wrong, ZoneAlarm
    let connects through on that port, and one day I had an intruder in
    my SQL Server that tried to invoke tftp. (Which ZoneAlarm alerted me on.)



    --
    Erland Sommarskog, SQL Server MVP, sommar@algonet. se

    Books Online for SQL Server SP3 at
    SQL Server 2025 redefines what's possible for enterprise data. With developer-first features and integration with analytics and AI models, SQL Server 2025 accelerates AI innovation using the data you already have.

    Comment

    • Greg D. Moore \(Strider\)

      #3
      Re: SQL Server Sercurity Outside the Firewall ...


      "Rajesh Kapur" <rkapur@mpr.org > wrote in message
      news:401835ef$0 $41283$a1866201 @newsreader.vis i.com...[color=blue]
      > Hello,
      >
      > We use Informix and MySQL on linux/unix to drive our web application.
      > SQL*Server is used only for backend enterprise applications within the
      > firewall. I am trying to get the management to use SQL*Server outside the
      > firewall. They tell me there are security issues with Microsoft products,[/color]

      Correction, there are security issues with ALL products.

      If they are treating MS as somehow special (or rather Informix and MySQL as
      immune from security issues) they are not doing their jobs.

      [color=blue]
      > including SQL*Server, that make it vulnerable to attacks outside the
      > firewall. Can someone please point me to white papers/documentation that
      > suggests how SQL*Server can be used securely outside the firewall?[/color]

      Why would you have it or any product outside a firewall? Seriously.
      Properly you should have it in some sort of DMZ.
      [color=blue]
      >I think
      > if I put SQL*server on it's own box and open it up only to the[/color]
      applications[color=blue]
      > on our web servers, we should be secure. However, I need hard evidence.[/color]

      With SP3a a lot of the old security flaws are fixed, but basically if you
      can reach the box from the outside world and have no firewall, then you're
      just begging for problems. And not just in SQL, but in the OS.

      Put up SOMETHING with some sort of access control, even if it's a router
      with an ACL list that blocks ALL traffic to the SQL box and only permits
      Port 80 traffic to your web servers.

      [color=blue]
      >
      > Thanks.
      > - Rajesh
      >
      >[/color]


      Comment

      Working...