Re: I have a matter with symantec enterprise firewall

From: Joseph V. Morris (jvmorris_at_erols.com)
Date: 05/12/03 

Date: Mon, 12 May 2003 09:45:14 -0400

Vincenzo,

A SQL Server exposed to the Internet at large? Symantec Enterprise
Firewall? On the same machine? I'd agree with Lars on this issue: If you
must, put the PRODUCTION SQL Server outside the enterprise firewall (i.e.,
on a different machine in the DMZ). Apply all known security patches,
install a good IDS on that box, possibly some memory-resident AV and AT
products, a registry monitor and file authentication software. There's no
particular problem with also putting a software firewall on the SQL Server
box, but it alone is not going to do you much good as you just put a hole in
the firewall big enough to drive a truck through. Assuming the server is an
NT/2K/XP machine, run with a non-admin account (certainly when connected to
the Internet) with full OS protection and strong passwording. If it's
feasible for your application, I would also restrict access to a specific
subset of remote IP addresses.

The DEVELOPMENT SQL Server should be an entirely separate installation
sitting on a different machine BEHIND the enterprise firewall. (Doing
development directly on the exposed machine is a great way to eat that great
enchilada in the sky.)

The primary problem with having SQL Server sitting on the same machine as
the enterprise level firewall and exposed to the Internet at large is that
if anyone finds a previously undefined (or uncorrected) vulnerability in SQL
Server, then you've quite likely had your entire LAN exploited. The stored
procedures available with SQL Server are dangerously powerful, which is
another good reason for having the exposed SQL Server OUTSIDE the firewall
(in the DMZ). 

--
Regards,
    Joseph V. Morris
    jvmorris@erols.com
"Vincenzo Chianese" <digis.chianese@digis.it> wrote in message
news:at2ua.97756$iy5.3011987@twister2.libero.it...
> 1) How can I set SQL server on the same machine where the firewall is
> installed?
> 2) How can I make visible the machine where the firewall is installed on a
> microsoft net?
>
> Thanks for your answer
>
> Vincenzo Chianese
>
>

Relevant Pages

  • Re: Web-based software update
    ... > firewall and therefore cannot be accessed directly from a Delphi ... Open the firewall to allow SQL Server traffic to pass through. ... Without using a VPN, ... you still have open data flowing over the internet, ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: connecting to SQL Server 2000 from a VB.net app using ADO.net
    ... In terms of connectivity issues over the Internet, firewall ... TCP Ports Needed for Communication to SQL Server ... I can't create a remote connection in Enterprise Manager. ...
    (microsoft.public.sqlserver.connect)
  • Re: Access via internet?
    ... a static IP address at the host (thats when the SQL Server is reachable over ... the internet in the DMZ) OR opening a port in the firewall, ...
    (microsoft.public.sqlserver.msde)
  • Re: Connectivity Issues - Bizzare
    ... Sounds like firewall to me. ... >I am trying to connect to a default instance of SQL Server 2000 Enterprise ... I create a SqlDataAdapter on the web form, ... I take the same connection string from the web app, ...
    (microsoft.public.sqlserver.connect)
  • Re: SQL Server / Firewall Security
    ... Below is a link to the thread Denny referred to. ... SQL Server MVP ... > database for us to search the similar help. ... >>> can be any type of firewall not necessarily ISA, ...
    (microsoft.public.sqlserver.security)