Re: web server dmz sql server

From: "Joel Maslak" <jmasla@xxxxxxxxxxx>
Date: 19 Nov 2006 20:00:08 -0700

On Fri, Nov 17, 2006 at 11:55 AM, in message

<E78D293A-9959-4298-8F67-3633F3524CE9@xxxxxxxxxxxxx>,
callwalker<callwalker@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I have a web server on the DMZ. I would like to be able to use the
SQL server
on the lan for the database. Security does not want to open a port
in the
firewall.How can i persuade them? Would it help to put the SQL
server on
vlan? What would be the best wat to do this?

It really depends on your company's policies and procedures.

That said, how I like to do it is to put SQL on a dedicated port of the
firewall (or VLAN routed through the firewall). Then you can let
traffic into the SQL server, but prevent the SQL server from being able
to contact other hosts on the inside of the network. It also lets you
limit the traffic from the web host to the SQL server to just one port,
1433 (TCP).

It's a pretty small hole in the firewall, but I would be concerned if I
were in their shoes too - someone with sufficient access to the SQL
server can find ways of executing a command shell, and from there attack
the rest of the network, even without any bugs in SQL. (it is a good
argument for the application NOT using SA or any login with DBO access
to any database)
.

Prev by Date: Re: Version Control
Next by Date: RE: Proprietary data in SQL2005
Previous by thread: Re: Version Control
Next by thread: Re: Should you use local machine groups?
Index(es):
- Date
- Thread

Relevant Pages

Re: Connecting to an instance in a cluster
... "Geoff N. Hiten" wrote: ... you cannot reuse port numbers. ... Microsoft SQL Server MVP ... That is the port you have to open on the firewall. ...
(microsoft.public.sqlserver.clustering)
Re: SQL Server / Firewall Security
... Below is a link to the thread Denny referred to. ... SQL Server MVP ... > database for us to search the similar help. ... >>> can be any type of firewall not necessarily ISA, ...
(microsoft.public.sqlserver.security)
Re: SQL server connection problem
... no firewall is installed? ... Also i have check that port 1433 is not ... Will SQL server only connect to this ... > to configure the firewall to permit connections to SQL Server. ...
(comp.databases.ms-sqlserver)
Re: Connecting to a MSDE server in Internet
... I like to know that's not an SQL Server problem :-) ... > You can check to see if it's a firewall or port blocking issue or not by ... > If the telnet session fails to connect, you have a firewall issue or are ...
(microsoft.public.sqlserver.connect)
Re: Access via internet?
... I would use something more reliable than just opening a port in the ... firewall, something like a VPN, that more secure than doing just a NATing. ... That´s when an option when your SQL Server is located in your LAN ...
(microsoft.public.sqlserver.msde)