Can SQL Server accept / refuse a connection by IP?

  • roger-733473 (12/14/2010)


    perhaps somebody who knows what they are talking about can explain which specific security failings of SQL Server make it unsuitable for use as a firewall

    Been doin' this for a long time now so how about this...

    1. By the time you are validating IP addresses they are already on the SQL server and "Man in the middle" attacks start like this.

    2. If you are controlling IP access by code or table then you are always debugging connection issues.

    3. Each connection to the server takes somewhere between 28 to 46 K of memory and you want to use SQL server to verify IP's by connection. There are other reasons, but they deal with indedxes and the query optimisation engine.

    Think about it, this will either create a bottleneck for the outside application to which noone will use or a Memory resource issue for SQL server that will create performance issues. And again you will be offloading these types of checks to something designed for the job.

    And how about you read on the functions that a firewall does IIS and ISA understand that these are the correct tools for job. Yes you can

    obviously crack a nut with a train but you wont have much nut to play with.

    CodeOn (not on my servers)

    😛

  • Malcolm Daughtree (12/14/2010)


    roger-733473 (12/14/2010)


    perhaps somebody who knows what they are talking about can explain which specific security failings of SQL Server make it unsuitable for use as a firewall

    Been doin' this for a long time now so how about this...

    1. By the time you are validating IP addresses they are already on the SQL server and "Man in the middle" attacks start like this.

    2. If you are controlling IP access by code or table then you are always debugging connection issues.

    3. Each connection to the server takes somewhere between 28 to 46 K of memory and you want to use SQL server to verify IP's by connection. There are other reasons, but they deal with indedxes and the query optimisation engine.

    Think about it, this will either create a bottleneck for the outside application to which noone will use or a Memory resource issue for SQL server that will create performance issues. And again you will be offloading these types of checks to something designed for the job.

    And how about you read on the functions that a firewall does IIS and ISA understand that these are the correct tools for job. Yes you can

    obviously crack a nut with a train but you wont have much nut to play with.

    CodeOn (not on my servers)

    😛

    Like Malcolm is alluding to, there are just a lot of functions you plain don't have access to in SQL Server since it isn't a firewall. no way to block alternate protocols, no easy way to deal with zones or IP ranges, etc... I'm not even going to try to describe how many ways this gets to be disfunctional, other than to say - use the right tool for the right purpose.

    You could always try to use a stale donut as a hammer, but it will do a poor job at being a hammer and leave a large mess everywhere. It's not the donut's fault - it's just not designed for the task.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • so no security issues then

  • roger-733473 (12/15/2010)


    so no security issues then

    Malcolm's reference to a man in the middle attack is a huge security issue. Not being able to control or block alternate protocols is also a security issue. Any major functionality you'd expect from a firewall you cannot implement in another app is by nature a security issue.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

Viewing 4 posts - 16 through 18 (of 18 total)

You must be logged in to reply to this topic. Login to reply