Firewall in SQL

  • Hi team

    There is an argument in our company, that we have a perimeter firewall between the SQL DB infrastructure and Internet, but there is no firewall between the (DB) server and the client. So the reason I am writing this, is to understand  how as a DBA we can be responsible to secure and harden the DB environment? Any checks that we can do? I only know that a port 1433 needs to be open when communicating with SQL SERVER? Any other suggestions and recommendations highly appreciated.

    thank you!

     

  • your DB server should be in a DMZ (dead mans zone/demilitarised zone) which is effectively 2 firewalls

    but if you want to allow client access to your data then you could use a VPN tool to allow access to the database for specific IP addresses

    you can also configure some of those VPN clients to use 2 factor authentication (a text message with a ping number when I log in)

    we use this when I work from home.. I cannot get to our sql server behind the firewall unless I use our authorised VPN client and push in the correct credentials

    MVDBA

  • When  you say client, do you mean a web application running on a web server?

    If so, there should be a firewall between that and the DB server, and the rules should be put in place to only allow a connection to the DB from that server, on the specific ports.

    I'm not sure I agree that the DB servers should be in the DMZ.   We have never put a DB server in the DMZ.  The only access to the DB servers are on specific ports from specific clients.

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

  • Thanks for the responses.

    Client I mean  anyone on the internet who can access from data outside our company domain.

    I think these 'Clients' would never have direct access to our SQL Server databases. My feeling is that clients are communicating to a web portal (as you said) which in-turn connects to SQL Server(using the specified port from webserver to db server)- if this is the case, do you all think the method of communicating is secure?

    DMZ -does all servers in a particular domain fall under one DMZ

    I will also have a discussion more with my security team to find out on this.  Thanks for your help with knowledge sharing on this topic.

    Pardon me if I am writing something wrong, since limited knowledge on this firewall and security topic.

  • Tomys wrote:

    DMZ -does all servers in a particular domain fall under one DMZ

    Domains and DMZ do not have anything to do with another.

    In my case, the web servers and the DB servers are all on the same domain.  The web servers are in the DMZ, the DB servers are not.

     

     

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

  • Best thing for you to do is google DMZ (wiki has some nice diagrams) then you can make your mind up.

    SQL hardening is quite complex, it's not just firewalls... it's sql injection, internal user access and many other things

    MVDBA

  • MVDBA (Mike Vessey) wrote:

    your DB server should be in a DMZ (dead mans zone/demilitarised zone) which is effectively 2 firewalls

    but if you want to allow client access to your data then you could use a VPN tool to allow access to the database for specific IP addresses

    you can also configure some of those VPN clients to use 2 factor authentication (a text message with a ping number when I log in)

    we use this when I work from home.. I cannot get to our sql server behind the firewall unless I use our authorised VPN client and push in the correct credentials

    I would never put a database server in the DMZ - all data needs to be inside the network and no access to that database server directly from any external clients.

    For external access - an application (web, web services, etc...) server would be placed in the DMZ with specific ports opened from the external network (ex: only port 443 traffic) and ideally a white-list that only allows connections from specific external IP addresses.

    Then - that application server in the DMZ would only have access to that database server through a limited user account.

    Even better would be a Netscaler (or similar device) that is placed between your server in the DMZ and the external clients with SSL->SSL bridge configured.  That way, the clients access the Netscaler over SSL - and the Netscaler device creates a separate tunnel to the application server over SSL.

    Jeffrey Williams
    “We are all faced with a series of great opportunities brilliantly disguised as impossible situations.”

    ― Charles R. Swindoll

    How to post questions to get better answers faster
    Managing Transaction Logs

  • Thank you all, and with these discussions I have now got a better understanding of the subject. I was also reading that from a sql server stand point, it is also a good option to change the default port number of sql server and also to create a named instance rather than default instance.  This method may also be a step to help protect sql server databases from unwanted attacks.

    thanks

    • This reply was modified 4 years, 8 months ago by  Tomys.
  • Tomys wrote:

    Thank you all, and with these discussions I have now got a better understanding of the subject. I was also reading that from a sql server stand point, it is also a good option to change the default port number of sql server and also to create a named instance rather than default instance.  This method may also be a step to help protect sql server databases from unwanted attacks.

    thanks

     

    That used to be 100% true, however it's certainly not an absolute.  If your firewalls, and the rest of your network hardening is done properly, 1433 is taken care of.

    Michael L John
    If you assassinate a DBA, would you pull a trigger?
    To properly post on a forum:
    http://www.sqlservercentral.com/articles/61537/

  • Excellent thank you!

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply