Re: Getting Data from behind a firewall.

From: Susan Bradley, CPA aka \ (sbradcpa@pacbell.net)
Date: 03/02/03

• Next message: Paintman: "How do I stop this hacker from logging in?"
• Previous message: Mimic: "Re: My PC/Internet Security and Hacker Book"
• In reply to: Jim Mitchell: "Re: Getting Data from behind a firewall."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 02 Mar 2003 11:27:04 -0800
From: "Susan Bradley, CPA aka \"Ebitz\" SBS Rocks [MVP]"  <sbradcpa@pacbell.net>

SQL databases that communicate over WANs may need 1434 and 1433 open to
"connect" over the Internet. 1434 port is the port used in the Slammer worm.
1434 is a listening port waiting for UDP transmissions to connect. When
slammer infected a machine, it started sending out floods of data to port 1434.
In ten minutes, Slammer went round the world and in 30 minutes it affected
computers on all continents [well mayble not Antartica]

Any open port, even yes, a VPN connection can be a security risk.

You have a server that you haven't patched but is behind a VPN connection and
ports 80 and 1434 are closed up. VPN connection is made and an unpatched,
unprotected, infected home user with MSDE unknowingly installed connects to your
LAN. Your servers could be infected through this VPN connection from that
infected workstaion attaching.

When you have any sort of connection, VPN or otherwise, you've extended your
Network boundaries and Security perimeters out to "them".

Just because you've only opened up the firewall for traffic from only that IP
address doesnt' mean that you can relax. You need to do a "security audit" of
their policies and procedures. What security policies and procedures do they
have in place? Do they regularly follow the MSBA or the Center for Internet
Security Baselines for setting up a server? Regularly review the security
status of their servers? Have a regular patching schedule? When did they patch
their servers for Code red? For Nimda? For Slammer? Were they affected by any
of these big "wake-up calls"? Do they have an incident response team? What's
their procedures?

Are they located in California? Where after 7/1/2003, if that database has
names and one other piece of information that could be defined as needed for a
person's identity? [names and SS#, names and CC#s], and there is an
unauthorized intrusion, you must tell your clients that they might have an
identity theft issue?

You need Security policies [written] and/or due diligence in place to ensure
that where you've extended your LAN boundaries are secure.

As a rule, any internet connection [yes, even dial up] is a security risk.
Any time you poke holes in a firewall, it's a risk

As a speaker at the Black Hat Briefings said "Can you identify all the entries
holes into your LAN? Can you stake your life on that answer?"

You've now extended your business risk to their servers. What hits them on
their servers may tunnel back into you.

Jim Mitchell wrote:

> Thanks for the help. If I could, let me be a bit more specific and maybe
> you could give me one more reply.
>
> The web page is hosted by an ISP, but we have the SQL Server database on our
> LAN behind a firewall. Since my ISP Web Server has an IP Address, is the
> standard proceedure to open this IP address on our LAN Firewall? Does this
> create any security risks?
>
> My IP is using "Server Farms". Do you think this changes anything?
>
> In the meantime, I will try to talk to an expert and explain my situation.
>
> Thanks,
>
> Jim
>
> "Karl Levinson [x y] mvp" <levinson_k@despammed.com> wrote in message
> news:eIC#shM4CHA.2412@TK2MSFTNGP09.phx.gbl...
> > I'm not really sure what you're trying to do or where the servers are
> > located. You can expect that HTTP connections over TCP ports 80 and 443
> > will probably be accessible from the ISP, but SQL communications may not
> be
> > permitted, depending. You'd have to ask the ISPs and/or people managing
> the
> > firewalls in question [not just the one hosting your web page, but also
> the
> > one hosting the internet connection for the SQL server.
> >
> > All the servers in question should ideally be behind firewalls. If you
> > change the firewall rules to open up a port, especially a SQL port, you
> can
> > and should write a rule that only makes that port available just for the
> IP
> > address used by the web server.
> >
> > As for the security of doing all this, this is really too complex to get
> an
> > accurate answer here. You really want someone experienced in security to
> > inspect the setup, and also to keep it from becoming less secure over time
> > [by installing patches, looking for signs of intrusion, etc. etc.].
> >
> > Some general information on hardening windows servers:
> >
> > http://securityadmin.info/faq.htm#harden
> > http://securityadmin.info/faq.htm#hacked
> > http://securityadmin.info
> > http://www.sqlsecurity.com
> >
> >
> > "Jim Mitchell" <jim_mitchell@mindspring.com> wrote in message
> > news:eUVr2CK4CHA.2296@TK2MSFTNGP10.phx.gbl...
> > > My customer would like to keep his database on his server behind a
> > firewall.
> > > I would like to run an Active Server Page on an ISP to get some of the
> > data
> > > and post to end users on my web site. Users will provide data to my
> web
> > > site and then I would like to post it back to the server behind the
> > > firewall.
> > >
> > > Can someone explain the security ramifications of this. Since I am
> > running
> > > my page on an ISP, there is no way to set up a VPN. Is there a way to
> > open
> > > up a server behind a firewall to a server running on a ISP? Maybe this
> > > takes away from the whole purpose of the firewall.
> > >
> > > Thanks in advance.
> > >
> > > Jim
> > >
> > >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.449 / Virus Database: 251 - Release Date: 1/27/2003
> >
> >

---

• Next message: Paintman: "How do I stop this hacker from logging in?"
• Previous message: Mimic: "Re: My PC/Internet Security and Hacker Book"
• In reply to: Jim Mitchell: "Re: Getting Data from behind a firewall."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.backoffice.smallbiz) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.backoffice.smallbiz2000) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.windows.server.sbs) Re: Recycler security issues on IIS server ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ... (microsoft.public.inetserver.iis.security) Re: How to Maintain an IIS Server? ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)