Re: Securing SQL

From: karl levinson, mvp (levinson_k_at_despammed.com)
Date: 11/24/05

• Next message: Will: "Re: How to Stop a Service From Impersonating Other Users"
• Previous message: karl levinson, mvp: "Re: Certificate-based DHCP authentication"
• In reply to: Bad Beagle: "Securing SQL"
• Next in thread: Bad Beagle: "Re: Securing SQL"
• Reply: Bad Beagle: "Re: Securing SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Nov 2005 08:46:27 -0500

"Bad Beagle" <maxwelli@nospam.postalias> wrote in message
news:uCxmBEE8FHA.444@TK2MSFTNGP11.phx.gbl...
>I would like to know what the suggestions are for designing a secure
>solution for Windows servers and SQL. I have a Windows 2000 server that is
>my web server - this server is in the dmz. This server has pages that
>access a SQL server. The SQL server hosts a database that is used both
>internally and externally and needs to be updated by someone internal. My
>question is where this SQL server should be placed - on the lan and do file
>replication or in the dmz and open up the firewall for sql traffic.

I would suggest any solution that prevents the servers in the DMZ from
opening inbound connections into your internal LAN and requires that
connections be established from your LAN to the DMZ. Having two SQL
servers, one on the LAN, one in the DMZ, that are synchronized by the server
on the LAN sounds most secure, but then you want to make sure the
synchronization works for you and does not cause unacceptable data
discrepancies.

A cheaper solution that is probably secure enough would be to have the one
SQL server in the DMZ -- preferably a second DMZ for example using an
additional network interface in your firewall or an additional inexpensive
firewall like the www.netscreen.com "5" series, so that the SQL server is
firewalled from both the LAN and the web server -- AND only allow
connections from the LAN to the SQL server.

Note that using IPSec authentication and encryption does not make it safe to
permit connections from the DMZ web server to a server on your LAN, because
attackers may be able to use that connection.

• Next message: Will: "Re: How to Stop a Service From Impersonating Other Users"
• Previous message: karl levinson, mvp: "Re: Certificate-based DHCP authentication"
• In reply to: Bad Beagle: "Securing SQL"
• Next in thread: Bad Beagle: "Re: Securing SQL"
• Reply: Bad Beagle: "Re: Securing SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Web portal security ... win2003 standard server with IIS, SSL enabled and will be placed on ... So I will be fwding port 443 in firewall to my DMZ port. ... Well, assuming you are going to use teh SQL database from SBS, you can ... subnet than my LAN and map one to one from firewall to dmz. ... (microsoft.public.windows.server.sbs) Re: 2 NICs Configuration Problem ... Servers on the DMZ are public, ... provides NAT for the LAN machines, allowing them to reach the Internet ... effectively bypassing firewall filtering to that server. ... Ethernet adapter Server Local Area Connection: ... (microsoft.public.windows.server.networking) Re: Where to put the server ... Put the 2003 IIS Server in the DMZ. ... SBS box or another LAN server. ... (microsoft.public.backoffice.smallbiz2000) Re: Groklaws "Bias" and the SCO DDoS Attack ... >on the same local LAN your office machines are you can congest that ... routers, with port 80 redirected to a web server on the LAN side. ... I've also used Sonicwall DMZ routers. ... (comp.unix.sco.misc) Re: Windows 2003 server in DMZ for websites ... thought making it a stand alone would be the preffered design where security ... NIC'd Windows server design allowing for easier administration. ... > has free access to LAN so there is no point in having DMZ. ... (microsoft.public.inetserver.iis.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint