Solved

Security help: SQL Server, cable modem and a linksys router

Posted on 2004-10-03
5
450 Views
Last Modified: 2010-04-09
Hello everyone,

I'm a self starter and I have been working with building some .NET applications for my business.  I have also have been using SQL Server 2000 for a number of years with these applications.  

Last week I wrote a great little app for remote access to my SQL Server. My office is connected to the internet by a cable modem through a Linksys BRFSR41v3 router. I changed the SQL Server receiving port from 1433 to well...something else and routed incoming traffic on that port to the SQL Server box.  I'm also using some pretty complex passwords. My application is connecting to the SQL Server and running just fine. In fact, by letting some employees work from home, this new app could save me hundreds of hours of work in the next year, not to mention dollars. OK, let’s mention dollars. If my SQL Server gets hacked, I loose many of them.

Now that I've opened that port to the outside world, I'm starting to get a bit nervous. I know I can filter out all incoming IP's except the one's I allow to connect but all users won't always have a static IP address. What would you do next?  Thanks!
0
Comment
Question by:Justin_Case_77
  • 2
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12216285
I would setup a secure VPN server and let users VPN in from home and use the private IP's.
There are plenty of people out there with time on their hands to scan your IP subnet and discover SQL running on a non-standard port and start poking around.
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12230467
After some reading, I discovered that I can write a web service that will return datasets to my apps. I am using IIS (W2K) with port 80 already exposed. Do you think a web service would be more secure than exposing the SQL Server port?  If so, what kind of performance hit might I encur?
0
 
LVL 3

Accepted Solution

by:
Felix2000 earned 250 total points
ID: 12235377
You must determine your level of security. Running SQL on a non standard port or via a web interface is still a bad idea if you have something to lose.
You also have to remember now that your data being returned and sent is being sent in clear text (unless your app encrypts it) so the possiblities of somebody also seeing data in transit also exists.
As lrmoore suggested a VPN is a great idea and probably the best.
Another option is to run an SSH server on a machine (preferable the mysql box). And setup SSH port forwarding.  Essentially poor mans VPN.

So the client runs an SSH client and connect to your box, the port forward will forward say 3306 from their local machine through an encrypted ssh tunnel to say the localhost(127.0.0.1) 3306 of you mysql box.
With this you get encrypts plus someone must break another level of security (ssh passwords) to begin getting at your mysql server.

-= Felix2000 =-
0
 
LVL 3

Author Comment

by:Justin_Case_77
ID: 12245179
Thanks Guys,

What do you think of the Smart Client Idea as a remedy? Be patient. I'll award the points soon.
0
 
LVL 3

Expert Comment

by:Felix2000
ID: 12245206
What is the Smart Client? Is that the web service?

-= Felix =-
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question