Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

web server security

heres the problem
there are 2 branches connected with each other via VPN..
they are using.. asp.net application.. to access a sql server which is located at one location..
now a asp.net website is being created with IIS.. it is dynamic and needs to connect to the sql server...
there is a firewall.. between webserver and sql server..
this is not secure enuf...

can anyone please tell me what else can be used.

2 Solutions
Your question leaves me with many of my own questions about your situation.  It is not entirely clear why this is not secure enough, but based on your statements, I'll take a stab at it.

Since you mentioned you're using a VPN between two locations, I'm going to guess that these communications, the asp.net application, and the SQL server are all private to just these two locations without any public access.  This seems secure enough to me, in that the VPN communications are all encrypted fully across the communications channel.

The reason for your concern with the new web server appears at first glance to be because this is intended to be a public web server.  Certainly, you could setup a web server on your private intranet, but then your concern would be unfounded.  So, I'm going to guess that you are concerned about opening up your private network to outside dangers.

Working on that assumption, the first order of business would be to make sure that your IIS server is completely hardened and protected.  No matter what else you do, if you lose control of your IIS server, you have the risk of penetration to the SQL server.  You will need to provide some trusted way for IIS to get to the SQL server, and if the IIS is compromised, then you might as well have no firewall to your SQL server.  This statement also implies that you should minimize the type of access to the server hosting the IIS web server.  Adding multiple services, like mail, web, and news, to this server only creates additional opportunities for break-in.

Secondly, you should setup the SQL server to limit access from very specific addresses, like only the web server ip address.  You should also consider some type of packet inspection on all network traffic to watch for questionable requests to the database server, in case the IIS server or other parts of the network are compromised.  This can be costly, but if you're really concerned about security, it is an option.

Lastly, make sure all setup on the SQL server has been examined to insure no default passwords or access paths are available.  You should turn off all access to this server except through the SQL query from the web server and any internal applications.  Certainly, leaving it open to various access methods, even behind the firewall, offers the opportunity for a breakin through other doorways if a different part of your network is compromised from behind the firewall.  This might occur through remote dialup access in place in your organization or other creative hacker methods.  Since all of this is so complex, it really depends upon a full inspection of your network security, rather than just the connection between IIS and the SQL server.  This is something that deserves more than just a quick answer on this expert exchange website.

One last protective measure might be to setup an additional network connection on both the IIS server and the SQL server and connect them through a dedicated network just between the two servers.  This prevents any break-in through a firewall that is connected to a public network, but depends even more tightly upon proper lockdown of the IIS server.

In summary, system security is a complicated task that must be approached from many different angles because attacks can happen in so many different ways.  Whatever you do in your architecture, if you're running Microsoft servers, just make sure they are updated frequently and completely with all available patches.  If not, none of the rest of your effort matters.

If you already have a VPN between the branches,
and if your IIS server will not be exposed to the Internet but only to the other branch,
AND if you trust the other branch (do not laugh, I've seen it before...),
THEN you can place the IIS server inside the firewall and not worry. Your protecton is as good as the firewall and the VPN products.


Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now