Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to connect to SQL server on our Intranet

Posted on 2005-03-30
8
Medium Priority
?
1,179 Views
Last Modified: 2012-06-21
Hi,

We have an SQL server on our intranet and a web server running IIS which has ASP pages for viewing /editing etc data from the SQL server within the intranet.

The intranet has a connection to the internet via an ADSL router so we have a public dynamic IP and all the intranet pc´s  are behind NAT.

Which is the best way to access the SQL server data?

1- Access the intranet by forwarding port 80 on the router to the IIS server (what about security?)
2- Access the intranet SQL server by port forwarding on the router and using enterprise manager to connect remotely?
3- Place some ASP pages on a hosted webserver on the public internet (and these connect to our intranet somehow) and we can access these...

I am very stuck with this and do not know the security implications of each one....

Thanks,

Ben
0
Comment
Question by:intangiblemedia
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 11

Expert Comment

by:Jokra_the_Barbarian
ID: 13664893
If you are attempting to access the intranet from the outside and run ASP pages, then:
1. I would use SSL to access the intranet.
2. Validate intranet access (on the top level intranet page) using NT/Windows.
3. If the intranet pages are already displaying data (by accessing from the intranet), then you shouldn't have to modify anything with the connection string.
4. A best practice for database security is to not embed the connection string in the APS page. It should reside somewhere else like the web.config page that Internet users wouldn't be able to access. It is also good practice to run the pages under a user 'alias'. In ASP.NET pages, this would be the aspnet_user account in windows.

Hope this helps.
0
 

Author Comment

by:intangiblemedia
ID: 13665490
Thanks Jokra,

Can I validate the intranet access on the top level page using validation against a recordset and create sessions on the ASP pages so that no other pages can be accessed unless they have succesfully logged in on the login page?

Also, what if I post all the existing intranet pages on a public hosted website and stick in a connection string to the SQL server in a private folder. As i understand it, it would call over the internet using SSL and go through port 14xx and perform the database queries? Is it safe?

Thanks and ready to close after next suitable post.
0
 
LVL 9

Accepted Solution

by:
caball88 earned 1500 total points
ID: 13665889
ok let me get this straight you are trying to 1)find a safe way for IIS to talk to SQL server? or are you trying to 2)access you sql server remotely outside your network?

1)if this is the case i would put the IIS machine on a DMZ which is on your network but restricted. only allow port 1433(sql) for the local ip address of your sql server through to your local network. so now the IIS machine can only talk to your SQL server. it cannot communicate with any other box on your local network unless you specify permission to do so.

2)if you are trying to connect remotely to your SQL server then i would suggest setting up a VPN. you'll establish a virtual connection to your network and then you can use enterprise manager to connect to sql server. i assume this would be for management and administration.

i am a little confused when you say access the intranet because to me the intranet is the local network and cannot be accessed from the outside. are you trying to access the intranet remotely? if so refer to solution 2 and use a VPN.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:Jokra_the_Barbarian
ID: 13666169
Are you using ASP 3.0 or ASP.NET pages?
0
 

Author Comment

by:intangiblemedia
ID: 13668997
Jokra,

Thanks again. We are using ASP 3.0

I was hoping to open port 1433 from the public internet to the private side of our intranet and point it to the SQL server with port forwarding. This would allow our website to have forms so that they can interact with the db remotely as they are hosted on public internet in London and our intranet is in Spain.

In addition, I wanted to allow remote workers to access the intranet and view the pages that work off the SQL server, so I was thinking of pointing port 80 to the IIS machine on our intranet so when our ADSL´s public IP is accesses in http, it would point them to a login page on the IIS machine on the intranet and if login was successful they could see the intranet pages.

I tried setting up a Linksys VPN WRV54g router but with no success. So I am looking at an alternative way around this.

 
0
 
LVL 34

Expert Comment

by:arbert
ID: 13671832
"I was hoping to open port 1433 from the public internet to the private side of our intranet and point it to the SQL server with port forwarding. This would allow our website to have forms so that they can interact with the db remotely as they are hosted on public internet in London and our intranet is in Spain.
"


OUCH, I would never open your SQL Server to the internet--how much do you value your data?   Force people to use a VPN, or web applications that have your IIS server in the DMZ talking to your SQL SErver....
0
 
LVL 9

Expert Comment

by:caball88
ID: 13671969
my solution is basically identical to arbert's comment. you never ever expose your sql server to the internet. that would be a BIG security concern. if you need to connect to it remotely VPN is your solution. As far as the webserver is concerned it should be on a DMZ if not so already. webserver's are exposed to the internet and are basically shunned from the local network. only specific ports and ip addresses from the local network are allowed to communicate with the webserver. This greatly reduces the chances of the webserver being the single point of entry for an attacker. When designing a solution it's best to keep things simple but when you compromise things such as security it's not worth it.
0
 
LVL 11

Expert Comment

by:Jokra_the_Barbarian
ID: 13673939
You shouldn't have to worry about access to SQL Server. The only thing that you should have to ensure is that somebody can access the web pages (on the intranet web site) and that they are authenticated. The web pages can then run under an impersonated or aliased windows account. You would also use this user to access SQL Server. That way, you don't have to grant permissions to public or individual users on SQL Server.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have a large data set and a SSIS package. How can I load this file in multi threading?
Windocks is an independent port of Docker's open source to Windows.   This article introduces the use of SQL Server in containers, with integrated support of SQL Server database cloning.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question