We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


increase security for the firewall

Gemini532 asked
Medium Priority
Last Modified: 2013-11-16
I need advice on how to increase security for the firewall...
Right now all the ports are closed except two of them becasue the internet application needs to reach the database to update the information in the database.
If someone were to compromise the web server, they could easily get to all the databases located on the server which can be accessed from the internet in order for the code to to update the databases.  I need to find a way to lock this down, and still have the application connect to the database.
Is there a way?  If not, is there a way to increase security?
Is there a way to hide which ports are open from hackers?
Watch Question

Distinguished Expert 2019

I supposed if they were on two different internal subnets that had traffic betwen them channel through the firewall... but even that won't solve what you're trying to do.

Any ports open would be visible by anyone who is within an arm's length of that server. One thing you could do is have the database server drop any ICMP traffic via something like a software firewall. That would prevent things like pings. Maybe you should look at better securing each server... for example, using IISLockdown on the web server (assuming it runs Windows and IIS on it).

However, anything that's left open to the world will always have a shot at being exploited... hence why you try to open up as little as possible. And you'll also want to make sure anything that doesn't need to be accessed by the outside is behind as much protection as possible.
Distinguished Expert 2019
You can always look into hardening the OS on the servers... you want to make it as hard as possible for people to exploit the servers in the first place. Nothing is 100% secure tho. Getting rid of unneeded parts of the OS, things like that.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
One question. Are your users trusted or not? (ie, your staff or just joe public). If trusted then use hard token authentication and encryption to keep anyone else out at the entry point. This removes the need for too much inside protection.

The obvious but 'expensive' way is to create a DMZ that has a web server (or a top tier presentation layer server) which has the access. Then database calls could be controlled through the firewall to only allow traffic to hit the database server from the DMZ server, not the outside.
Then, you would be able to limit the access to the database server, thus adding another layer that would need to be breached.

Next, add in a service account that cannot be seen within AD and use this to access the Database server. Assign it specific roles within the database to only do what it needs. If someone where to gain control of the DMZ server, they would then need to break the userid/password for the inside database server. Console access to the DMZ server would not be enough to get through the firewall or onto the database server.

Use SSL for your internet application thus allowing you to reduce access to only come in via 443. Then, change the SSL port to something obscure (eg 43215) and check it does not conflict with some other common application just in case.

All you are doing is reducing the chance of an opportunist hacker. If someone is determined, and has your external IP address, they will certainly do enough damage for it to be felt. How much is up to you I guess.

Hope this helps
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.