December 3, 2002 at 6:09 pm
How can I make sense of the NET_ADDRESS column in the SYSPROCESSES table?
I need to know the IP address of all the users that connect to SS2K.
Is it possible? I need to restrict the IP addresses that hit the SS2K database.
Am I on the right track by looking at the NET_ADDRESS column in the SYSPROCESSES table?
Thanks in advance,
Billy
December 3, 2002 at 6:59 pm
Just doing a bit of research on the net...
the title of this thread should really be called:
"restricting access to SQL Server based on IP Address"
is it true that I only have two options for restricting db access based on ip address (because SQL Server is not built to operate like that). My two options are:
1) use a firewall
2) use sql agent to execute a SP every X secs that monitors the processes and KILL the processes that have a net_address that are not found on my list of approved MAC addresses.
Billy
December 3, 2002 at 7:04 pm
Pretty much, yes.
NET_ADDRESS, as you've probably discovered, corresponds to the MAC address of the connecting client. The second action really bites because it means you have to keep up with MAC addresses. Not exactly fun.
If you have a router or switch, you could also use ACLs there to control access. A firewall isn't the only hardware that'll do the job. I think we're looking at ACLs on our core switches to restrict access to the production environment.
Out of curiousity, what are you trying to stop... authorized users accessing from outside of a normal, approved IP range?
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
December 3, 2002 at 7:19 pm
Thanks for your response. I am just thinking about furthering security on the sql server db we have. Putting a sql server open to the net, not sure if it is enough just having username/password for security.
Billy
December 3, 2002 at 7:30 pm
You're doing B2B? Or do you need it to service a web site?
Some general thoughts:
(1) Use SSL (you can create your own cert and any who want to connect will have to have your CA's certificate if you force encryption on). Does mean whoever is connecting has to have MDAC 2.6 or above. Generally not a prob if SQL 2K tools have been installed on the client.
(2) Don't use port 1433, pick another. This forces whoever wants to connect to you to have to know the port.
(3) If you use SSL, you're going to have to have a FQDN for the cert that matches the server and the user(s) will have to connect using that FQDN. If you don't publish it in DNS, it forces your users to insert an entry into their hosts file. May be beyond the capability of most users.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
December 3, 2002 at 7:46 pm
not b2b... just thinking about how security should be addressed if the topic ever comes up.
thanks for your info. I'll keep the SSL in mind.
Billy
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply