Solved

ASP.NET External Web/Database Application Hosting Security Model

Posted on 2009-07-01
2
648 Views
Last Modified: 2013-12-14
I have a design question.  

I would like to keep a website hosted offsite.  We will be using an internal application that hits the database via windows authentication every day, while external users would be hitting it via the hosted external website.  Their changes would be added to the same database after some validation checks.  

My thought is to open up a port in the firewall to allow database access (SQL Server 2008) for the external web server  and have it access the database on our LAN.

- Would this be a viable security model? If not, how are applications like this usually deployed?
- Will the performance be horrible for external users without a database sitting closer to the web server?

Thanks!
0
Comment
Question by:looneybins
2 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
Comment Utility
- Would this be a viable security model? If not, how are applications like this usually deployed?

it really depends on the application architecture of your external services and internal business. however, from the external web server to the internal SQL server through the firewall, the following considerations are recommended.

1. NO SQL server port should be opened on the firewall. this will make your SQL server available to any host on the internet though windows authentication is in use. VPN is required here. only a VPN port is open to the internet. VPN can be implemented on the firewall, if possible. the external web server should access the database over a secured VPN channel.

2. windows authentication between IIS, ASP.NET and SQL is still necessary even over the VPN connection.

3. if external web users need to interact with the IIS and then the SQL, be aware injection attack, always transform users input into parameters and pass them to store procedures on SQL. no direct queries.

4. SQL server should only talk to specific servers, not all client computers.

5. run MBSA on IIS and SQL to identify missing patches and vulnerabilities. implement IISLockdown based on its role.

- Will the performance be horrible for external users without a database sitting closer to the web server?

again, it actually depends on the bandwidth available between the external IIS and your SQL over VPN (as mentioned above), and the transactions size. however, commonly, for a decent network and a few transactions per min. that should not be a problem.

hope it helps,
bbao
0
 

Author Closing Comment

by:looneybins
Comment Utility
Thank you for your insight.  I was going to restrict the usage of a SQL port to just the IIS offsite host, but good point about the VPN.  That not only encrypts the data but keeps port scanners unaware of what services are available VIA the WAN port.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now