Re: Windows 2003 IPSEC example for SQL
From: Stan Kasper (kasper_at_wharton.upenn.edu)
Date: 11/29/04
- Previous message: Miha Pihler: "Re: Copy data from Windows 2k3 Server to another Windows 2k3 server"
- In reply to: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Next in thread: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Reply: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Nov 2004 14:20:12 -0500
Greetings,
Encapsulation is the next step. Right now all servers are on the same
switch
so snooping traffic is not a high priority.
BTW, do I need to filter 1434/UDP in IPSEC for SQL? Or is
filtering 1433/TCP sufficient?
Thanks,
Stan
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:uvgRiYk1EHA.1392@tk2msftngp13.phx.gbl...
> That's great, you're using IPsec filters. :)
>
>
> Why not go all the way and encapsulate the SQL traffic in IPsec?
>
>
> "Stan Kasper" <kasper@wharton.upenn.edu> wrote in message
> news:%23Rw$pRk1EHA.1524@TK2MSFTNGP09.phx.gbl...
> > Greetings,
> >
> > I would like to secure SQL 2000 using a combination of the builtin
> > firewall for Windows 2003 server and IPSEC. For the firewall I would
> > open up ports 1433/TCP and 1434/UDP for SQL. Then I would use
> > IPSEC to control access to those ports. Please comment on my IPSEC
> > example below and on this solution for securing SQL on W2K3.
> >
> > Thanks,
> >
> > Stan
> >
> > REM MS SQL 2000 packet filter
> >
> > REM Create IPSec policy that blocks all network traffic for SQL
(1433/TCP
> > 1434/UDP)
> > REM with a server exception list.
> > REM This policy is used in conjuction with the Windows 2003 firewall
which
> > is configured
> > REM to allow network traffic through said SQL ports.
> >
> >
> > :IPSec Policy Definition
> > netsh ipsec static add policy name="SQLFilter" description="SQL
Hardening
> > Policy" assign=no
> >
> >
> > :IPSec Filter List Definitions
> > netsh ipsec static add filterlist name="BlockedSQL" description="SQL
> > Server
> > Hardening"
> > netsh ipsec static add filterlist name="AllowedSQL" description="SQL
> > Server
> > Hardening"
> >
> >
> > :IPSec Filter Definitions
> > netsh ipsec static add filter filterlist="AllowedSQL" srcaddr=*client*
> > dstaddr=me description="SQL TCP Traffic" protocol=TCP srcport=0
> > dstport=1433
> > netsh ipsec static add filter filterlist="AllowedSQL" srcaddr=*client*
> > dstaddr=me description="SQL UDP Traffic" protocol=UDP srcport=0
> > dstport=1434
> >
> > netsh ipsec static add filter filterlist="BlockedSQL" srcaddr=any
> > dstaddr=me
> > description="SQL TCP Traffic" protocol=TCP srcport=0 dstport=1433
> > netsh ipsec static add filter filterlist="BlockedSQL" srcaddr=any
> > dstaddr=me
> > description="SQL UDP Traffic" protocol=UDP
> > srcport=0 dstport=1434
> >
> >
> > :IPSec Rule Definitions
> > netsh ipsec static add rule name="SQL Allowed" policy="SQLFilter"
> > filterlist="AllowedSQL" kerberos=yes filteraction=Permit
> > netsh ipsec static add rule name="SQL Blocked" policy="SQLFilter"
> > filterlist="BlockedSQL" kerberos=yes filteraction=Block
> >
> >
>
>
- Previous message: Miha Pihler: "Re: Copy data from Windows 2k3 Server to another Windows 2k3 server"
- In reply to: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Next in thread: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Reply: Steve Clark [MSFT]: "Re: Windows 2003 IPSEC example for SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
