web server security

Posted on 2003-03-20
Medium Priority
Last Modified: 2010-04-20
heres the problem
there are 2 branches connected with each other via VPN..
they are using.. asp.net application.. to access a sql server which is located at one location..
now a asp.net website is being created with IIS.. it is dynamic and needs to connect to the sql server...
there is a firewall.. between webserver and sql server..
this is not secure enuf...

can anyone please tell me what else can be used.

Question by:chizzy123
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

PCBackup earned 1000 total points
ID: 8180958
Your question leaves me with many of my own questions about your situation.  It is not entirely clear why this is not secure enough, but based on your statements, I'll take a stab at it.

Since you mentioned you're using a VPN between two locations, I'm going to guess that these communications, the asp.net application, and the SQL server are all private to just these two locations without any public access.  This seems secure enough to me, in that the VPN communications are all encrypted fully across the communications channel.

The reason for your concern with the new web server appears at first glance to be because this is intended to be a public web server.  Certainly, you could setup a web server on your private intranet, but then your concern would be unfounded.  So, I'm going to guess that you are concerned about opening up your private network to outside dangers.

Working on that assumption, the first order of business would be to make sure that your IIS server is completely hardened and protected.  No matter what else you do, if you lose control of your IIS server, you have the risk of penetration to the SQL server.  You will need to provide some trusted way for IIS to get to the SQL server, and if the IIS is compromised, then you might as well have no firewall to your SQL server.  This statement also implies that you should minimize the type of access to the server hosting the IIS web server.  Adding multiple services, like mail, web, and news, to this server only creates additional opportunities for break-in.

Secondly, you should setup the SQL server to limit access from very specific addresses, like only the web server ip address.  You should also consider some type of packet inspection on all network traffic to watch for questionable requests to the database server, in case the IIS server or other parts of the network are compromised.  This can be costly, but if you're really concerned about security, it is an option.

Lastly, make sure all setup on the SQL server has been examined to insure no default passwords or access paths are available.  You should turn off all access to this server except through the SQL query from the web server and any internal applications.  Certainly, leaving it open to various access methods, even behind the firewall, offers the opportunity for a breakin through other doorways if a different part of your network is compromised from behind the firewall.  This might occur through remote dialup access in place in your organization or other creative hacker methods.  Since all of this is so complex, it really depends upon a full inspection of your network security, rather than just the connection between IIS and the SQL server.  This is something that deserves more than just a quick answer on this expert exchange website.

One last protective measure might be to setup an additional network connection on both the IIS server and the SQL server and connect them through a dedicated network just between the two servers.  This prevents any break-in through a firewall that is connected to a public network, but depends even more tightly upon proper lockdown of the IIS server.

In summary, system security is a complicated task that must be approached from many different angles because attacks can happen in so many different ways.  Whatever you do in your architecture, if you're running Microsoft servers, just make sure they are updated frequently and completely with all available patches.  If not, none of the rest of your effort matters.

LVL 33

Assisted Solution

shalomc earned 1000 total points
ID: 8203720
If you already have a VPN between the branches,
and if your IIS server will not be exposed to the Internet but only to the other branch,
AND if you trust the other branch (do not laugh, I've seen it before...),
THEN you can place the IIS server inside the firewall and not worry. Your protecton is as good as the firewall and the VPN products.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question