July 18, 2008 at 12:41 pm
Let me tell you what i want to know....
My friend told me, that his company has hosted one of their databases onto third party's server and they have provided server name and username/password to them.
They can register that server into any machine having sql installed by using that server name- username-password.
even he can register that SSMS into his laptop as we can do if we have on the same network.
but in that case its internet based no network boundation.
any idea whatβs that concept!!!!
Please let me know if any confusion in my query....
July 18, 2008 at 1:09 pm
I've used that kind of arrangement before. Lots of companies do that. Can get a little slow if you're transmitting large or frequent data sets/updates across the Net, but it does work.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 18, 2008 at 1:12 pm
Yeh, ive heard this before also. large data would be slow and its not secure coz your DBs are hosted into someone else server.
But I am intrested to know what is the concept behind that.
How could i do that if i want to do?
Whats the process and all that........
July 18, 2008 at 1:16 pm
Sounds to me like they've just placed it outside the firewall. Although this does make it visible everywhere, it also... well... makes it visible everywhere. I'd rather have my database a little closer to home where I can keep intruders at bay (i.e. invisible behind a firewall), control network latency, and have access to the console if need arises. There are advantages to having it out there, particularly if you don't have or want to purchase hardware, don't have inhouse resources to administer it or need to have it widely available and don't want to put up a VPN. I can't say that it is always best to have your server inside a firewall since it depends on your requirements, but it would take me quite awhile to warm up to it.
Chad
July 18, 2008 at 1:27 pm
Just keep the server out of firewall - makes it visible across the internet who is haveing its address/Uname/Pass etc.........if its possible-it looks strange to me..........there must be either some seeting or utility in sql server and something else along with firewell.
I do agree firewall would play a major role into it......
But still there must be something else also along with it.........
July 18, 2008 at 9:11 pm
I don't think there is anything special - you can connect to any SQL server if you know it's IP (or a resolvable name), port, a username and password... as long as the IP is public and not private. The difference here is that they've placed the server outside the firewall on a public IP rather than behind a firewall on a private IP. If I put my SQL Server on a box with an IP of 10.10.10.10, you wouldn't be able to get to it anywhere outside of the local network because the 10.* IP addresses are private. You'd have to either be sitting inside the network, or VPN in. It's the same sort of thing you'll see with a public website vs. a private intranet - you can't see the intranet pages from outside the network (i.e. in the "world" part of the "world-wide-web").
Chad
July 19, 2008 at 2:01 am
Chad, thanks a lot.
Does any specific authentication needs for this concept.
Or normally sql authentication/Mix mode can be used - as usual.
And server IP or its name + with any user (in sql with sufficient rights) with its password can be used to access it our side anywhere.
And there must be some special rights or something needs to be done on the source server, because suppose im trying to access 1 server over the internet, the same name or IP could be used by another server over the globe?
July 21, 2008 at 8:51 am
Chad Crawford (7/18/2008)
Sounds to me like they've just placed it outside the firewall. Although this does make it visible everywhere, it also... well... makes it visible everywhere. I'd rather have my database a little closer to home where I can keep intruders at bay (i.e. invisible behind a firewall), control network latency, and have access to the console if need arises. There are advantages to having it out there, particularly if you don't have or want to purchase hardware, don't have inhouse resources to administer it or need to have it widely available and don't want to put up a VPN. I can't say that it is always best to have your server inside a firewall since it depends on your requirements, but it would take me quite awhile to warm up to it.Chad
You don't have to expose it to the whole world. You expose a specific IP address and port, and require authentication to connect.
There are companies that host database servers that way. Cheaper and easier for a small business that can't afford the hardware, server OS, SQL Server, etc., to pay a fee to a company that hosts it for them.
Very useful if you need Enterprise Edition features, but can't afford the price. Of course, has limitations because it's on someone else's server, but life is all about trade-offs.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 21, 2008 at 8:23 pm
DKG - yes, SQL Authentication and the IP/Name with a correct user/password can be used. The name will not conflict with another, because each name ends with a domain (xxxx.com, xxxx.net, etc.) and you must register those. The registration process keeps them unique and ensures that a particular name is used only by one specific entity (person/corporation/etc.). So I cannot name my server mysqlserver.mydomain.com, if I don't own the rights to "mydomain.com". Each name resolves to one IP address and that is actually what is used to connect.
When you attempt to connect to mysqlserver.mydomain.com, the first thing that happens is a request is sent to a DNS server lookup the IP address assigned to mysqlserver.mydomain.com, and when the result is sent back from the DNS server, your application (SSMS, C# application, etc.) uses the IP address to make the connection. The name is really just a shortcut so that you don't have to remember the IP address, and to ensure that if the IP address changes, you don't have to start making calls to find out what the new address is.
IP addresses are unique too, and (again) you must purchase them, with the exception of a few ranges reserved for private (i.e. not directly connected to the internet) networks. That way if you have a small company (or home) with several computers that need to talk to each other using TCP/IP traffic but not connect to the internet, you can set up your own little network without any problems. Sometimes (often?) companies will set up one computer on their network as a gateway. The gateway as two IP addresses - one purchased that allows it to connect to the internet and be 'unique' among all the computers floating out there. The other is part of the 'private' network and allows it to communicate with all the other computers inside the company. With this special setup, it can funnel traffic from the internet, allowing the 'hidden' computers with private IP addresses to access the internet through the Gateway's connection. To the world, it looks like one computer on the internet, but in reality, it is forwarding the traffic from multiple computers though the gateway from many computers you cannot actually see. Now that I've written all this, I realize that I probably should have just found a link to a site that explains this better and probably with less inaccuracies.
In summary, you won't have a naming or IP address conflict.
GSquared -
I humbly bow to your superior knowledge and expertise and live in awe of your posts. Networking is not my area of expertise as the paragraphs above probably adequately show. I think I can clarify what I meant by "exposing the server to the whole world" though, and hopefully I'm not too far off and I hope you'll correct me if I stray (I know you have more experience in this realm than I do).
If you put the server outside the firewall, then it (speaking of the server, not SQL Server) can be hit and probed by anyone and is susceptible to the normal buffetings of the internet, including DOS issues, open port concerns, latency, etc. In addition, SQL Server concerns about password strength, up to date patches, and hardening become much more critical. Port forwarding or opening a single port on the firewall limits your exposure since you only have the one port to worry about, but you do have to worry about that port. I dare say that a company who provides SQL Server services across the internet probably has their ducks in a row with regard to these points... or else they will not last long at all. And they provide an invaluable service that is exactly what some people need. But if someone looking at SQL Server without much experience decides to put their server outside the firewall just so they can run ad-hoc queries from home... I think they're asking for trouble.
Thanks!
Chad
July 22, 2008 at 11:55 am
Thank you for the compliment on my posts. I try to do my best on them.
No matter how one exposes a server, or what software it's running, if it's connected the Net, it is less secure than if it's not. That's a simple fact. At the same time, it can be "secure enough."
As far as securing an SQL server for that kind of thing, I'm sure it can be done with reasonable safety. I know exactly how to do that: Hire someone who knows how to do it and have them do it for me, because I certainly can't do it on my own! π
I have to agree with you that anyone exposing a server that way rather than VPNing to it is just asking for trouble. Or doing a thesis paper on what happens to unsecured servers. π
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
July 22, 2008 at 12:41 pm
I agree completely!
Chad
July 24, 2008 at 3:35 pm
Thank you very much 'Chad' for this excellent explanation! and make the concept clear to me.
Many Thanks to you!!!
Cheers,
Deepak
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply