Solved

Security help: SQL Server, cable modem and a linksys router

Posted on 2004-10-03
5
445 Views
Last Modified: 2010-04-09
Hello everyone,

I'm a self starter and I have been working with building some .NET applications for my business.  I have also have been using SQL Server 2000 for a number of years with these applications.  

Last week I wrote a great little app for remote access to my SQL Server. My office is connected to the internet by a cable modem through a Linksys BRFSR41v3 router. I changed the SQL Server receiving port from 1433 to well...something else and routed incoming traffic on that port to the SQL Server box.  I'm also using some pretty complex passwords. My application is connecting to the SQL Server and running just fine. In fact, by letting some employees work from home, this new app could save me hundreds of hours of work in the next year, not to mention dollars. OK, let’s mention dollars. If my SQL Server gets hacked, I loose many of them.

Now that I've opened that port to the outside world, I'm starting to get a bit nervous. I know I can filter out all incoming IP's except the one's I allow to connect but all users won't always have a static IP address. What would you do next?  Thanks!
0
Comment
Question by:Justin_Case_77
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216285
I would setup a secure VPN server and let users VPN in from home and use the private IP's.
There are plenty of people out there with time on their hands to scan your IP subnet and discover SQL running on a non-standard port and start poking around.
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12230467
After some reading, I discovered that I can write a web service that will return datasets to my apps. I am using IIS (W2K) with port 80 already exposed. Do you think a web service would be more secure than exposing the SQL Server port?  If so, what kind of performance hit might I encur?
0
 
LVL 3

Accepted Solution

by:
Felix2000 earned 250 total points
ID: 12235377
You must determine your level of security. Running SQL on a non standard port or via a web interface is still a bad idea if you have something to lose.
You also have to remember now that your data being returned and sent is being sent in clear text (unless your app encrypts it) so the possiblities of somebody also seeing data in transit also exists.
As lrmoore suggested a VPN is a great idea and probably the best.
Another option is to run an SSH server on a machine (preferable the mysql box). And setup SSH port forwarding.  Essentially poor mans VPN.

So the client runs an SSH client and connect to your box, the port forward will forward say 3306 from their local machine through an encrypted ssh tunnel to say the localhost(127.0.0.1) 3306 of you mysql box.
With this you get encrypts plus someone must break another level of security (ssh passwords) to begin getting at your mysql server.

-= Felix2000 =-
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12245179
Thanks Guys,

What do you think of the Smart Client Idea as a remedy? Be patient. I'll award the points soon.
0
 
LVL 3

Expert Comment

by:Felix2000
ID: 12245206
What is the Smart Client? Is that the web service?

-= Felix =-
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now