Re: The SA Mess

From: Ross Presser (rpresser_at_imtek.com)
Date: 03/18/05 

Date: Fri, 18 Mar 2005 10:00:03 -0500

On Thu, 17 Mar 2005 18:30:52 -0500, Russell Stevens wrote:

> I need to learn more about how to program one of these firewalls - perhaps
> the Windows app can send a password to the firewall, then the firewall could
> open the port for just that IP.

Exactly right.

Instead of opening the SQL port completely, you set up a firewall rule
resembling this (in Checkpoint FW1):

If the packet source matches *INTERNET*
and the packet dest matches *SQL SERVER*
and the protocol matches *TCP SQL PORT*,
pass the packet *ONLY IF CLIENT AUTH*
   and *AUTH USER IS MEMBER OF SQLGROUP*

(SQLGROUP is defined on the firewall; it can match back to an LDAP group,
or it could just be a group of "users" defined in the firewall (user in
this case meaning the app itself, not the user's identity.)

When the app needs access to the database, it opens a telnet connection to
the firewall (or else it can use https, but I'm more familiar with telnet),
and gets this sort of conversation:

|| Check Point FireWall-1 Client Authentication Server running on gateway
|| User: RussellsSQLApp
|| password: ***********
|| User RussellsSQLApp authenticated by Radius authentication
||
|| Choose:
||
|| (1) Standard Sign-on
||
|| (2) Sign-off
||
|| (3) Specific Sign-on
|| Enter your choice: 1
||
|| User authorized for standard services (1 rules)
||
||
|| Connection to host lost.

Now, as long as the sql connection doesn't stay idle for 30 minutes
(configurable timeout), the port is open for that IP address.

Relevant Pages

  • Re: OT: Trend Micro WFBS beta starting soon
    ... Trend firewall, even set to High, has inbound NetBIOS ports open. ... default 3389 port, web browsing, email, etc. ... it opens inbound NetBIOS connections until the laptop is rebooted. ...
    (microsoft.public.windows.server.sbs)
  • Re: Any Good white Papers on remote access
    ... Port 4125 opens up on an as-needed basis. ... Something must be wrong in the firewall configuration. ... The question do you port foward 4125 to the external NIC server How do you do that??? ...
    (microsoft.public.windows.server.sbs)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
Quantcast