Re: where to put SQL Server ?

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 05/21/04 

Date: Fri, 21 May 2004 07:14:59 -0400

"Robert Moir" <RobertMoir@discussions.microsoft.com> wrote in message
news:82F7FE43-59D9-42B6-A59A-5D658DD3A5FE@microsoft.com...
> Hi Hernán,
> In general, I always think its best not to expose any more of your network
to the outside than you have to, which suggests putting your SQL server on
your LAN rather than exposing it to the web directly.
>
> But with the specifc case you mention here of it having to talk to a web
app, I would have to say that seperate "subnets" don't mean very much
without a better idea of how traffic is routed and protected between these
subnets. Can you explain a bit more please?

Agreed, I'm not sure what "web subnet" means exactly.

If outside users are accessing your app from the Internet, a typical
security posture would be to put those servers on a DMZ. If you have both
Internet and Intranet users accessing the same application, I would think it
would be safer to not put the SQL database on the internal LAN, on the
premise that if the web server and/or the SQL server were hacked from the
Internet, they would have a hole into your internal network. If you do
that, and you have the resources, it might be sensible to use some sort of
IP filtering [firewall, IPSec filtering rules] to further separate the web
server from the SQL server, instead of just putting them on the same DMZ
subnet.

In some cases, depending on how your app is set up, it might be sensible to
have two different SQL servers on the Intranet and DMZ, with the Intranet
SQL server initiating replication at intervals. How much security you feel
you need is up to you.

You could certainly use IPSec. That would provide encryption to defeat
sniffing and man in the middle session hijacking, and possibly
authentication as well.

Relevant Pages

  • Odd connection problem (proxy + internal)
    ... system and can not be placed facing the internet. ... that belongs to our network and also connects to this accounting ... DSN's) to our internal SQL server. ... by installing the Winsock proxy on the SQL server and mapping the ip ...
    (comp.databases.ms-sqlserver)
  • Re: SQL Server goes down when internet is disconnected
    ... i will be connected to the internet via dial-up modem. ... the query in step 3 stops, w/ a network error message. ... network api to sql server that the network had an outage and sql server ...
    (microsoft.public.sqlserver.security)
  • Re: .NET new executable
    ... You need to decide the application type based on availabe infrastructure - networked privately, or the Internet only, or not networked at all... ... You could also use Windows app with ClickOnce (you then still need a web server to distribute the ClickOnce app, if the user is not on a LAN, and how about database access: where the database is and how the windows app access the data via the Internet?). ... In an extreme case where no network access avaialble, you could send your app to your user via email, then user runs it on his computer, save data to a file, email back to you; then you update the data into database. ... If all you are trying to do is send some data to your SQL server, ...
    (microsoft.public.dotnet.general)
  • Re: Best Pratice-Remore ADO Access
    ... > end app will be installed on clients and the SQL Server ... > use the Internet to move data back and forth. ... >> data over a WAN connection to a SQL Server. ... >> INSERT clause would be the most efficient method, ...
    (microsoft.public.vb.database.ado)
  • Re: remoting vs. direct sql connection
    ... I'd say that you should never expose your SQL Server directly to the ... Internet -- the security risks are simply far too great. ... Using either a web service or remoting will also somewhat help in relieving ... Remoting logically uses a connection per ...
    (microsoft.public.dotnet.framework.remoting)