Solved

Security help: SQL Server, cable modem and a linksys router

Posted on 2004-10-03
5
446 Views
Last Modified: 2010-04-09
Hello everyone,

I'm a self starter and I have been working with building some .NET applications for my business.  I have also have been using SQL Server 2000 for a number of years with these applications.  

Last week I wrote a great little app for remote access to my SQL Server. My office is connected to the internet by a cable modem through a Linksys BRFSR41v3 router. I changed the SQL Server receiving port from 1433 to well...something else and routed incoming traffic on that port to the SQL Server box.  I'm also using some pretty complex passwords. My application is connecting to the SQL Server and running just fine. In fact, by letting some employees work from home, this new app could save me hundreds of hours of work in the next year, not to mention dollars. OK, let’s mention dollars. If my SQL Server gets hacked, I loose many of them.

Now that I've opened that port to the outside world, I'm starting to get a bit nervous. I know I can filter out all incoming IP's except the one's I allow to connect but all users won't always have a static IP address. What would you do next?  Thanks!
0
Comment
Question by:Justin_Case_77
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216285
I would setup a secure VPN server and let users VPN in from home and use the private IP's.
There are plenty of people out there with time on their hands to scan your IP subnet and discover SQL running on a non-standard port and start poking around.
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12230467
After some reading, I discovered that I can write a web service that will return datasets to my apps. I am using IIS (W2K) with port 80 already exposed. Do you think a web service would be more secure than exposing the SQL Server port?  If so, what kind of performance hit might I encur?
0
 
LVL 3

Accepted Solution

by:
Felix2000 earned 250 total points
ID: 12235377
You must determine your level of security. Running SQL on a non standard port or via a web interface is still a bad idea if you have something to lose.
You also have to remember now that your data being returned and sent is being sent in clear text (unless your app encrypts it) so the possiblities of somebody also seeing data in transit also exists.
As lrmoore suggested a VPN is a great idea and probably the best.
Another option is to run an SSH server on a machine (preferable the mysql box). And setup SSH port forwarding.  Essentially poor mans VPN.

So the client runs an SSH client and connect to your box, the port forward will forward say 3306 from their local machine through an encrypted ssh tunnel to say the localhost(127.0.0.1) 3306 of you mysql box.
With this you get encrypts plus someone must break another level of security (ssh passwords) to begin getting at your mysql server.

-= Felix2000 =-
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12245179
Thanks Guys,

What do you think of the Smart Client Idea as a remedy? Be patient. I'll award the points soon.
0
 
LVL 3

Expert Comment

by:Felix2000
ID: 12245206
What is the Smart Client? Is that the web service?

-= Felix =-
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now