Solved

ASP.NET External Web/Database Application Hosting Security Model

Posted on 2009-07-01
2
666 Views
Last Modified: 2013-12-14
I have a design question.  

I would like to keep a website hosted offsite.  We will be using an internal application that hits the database via windows authentication every day, while external users would be hitting it via the hosted external website.  Their changes would be added to the same database after some validation checks.  

My thought is to open up a port in the firewall to allow database access (SQL Server 2008) for the external web server  and have it access the database on our LAN.

- Would this be a viable security model? If not, how are applications like this usually deployed?
- Will the performance be horrible for external users without a database sitting closer to the web server?

Thanks!
0
Comment
Question by:looneybins
2 Comments
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 500 total points
ID: 24808476
- Would this be a viable security model? If not, how are applications like this usually deployed?

it really depends on the application architecture of your external services and internal business. however, from the external web server to the internal SQL server through the firewall, the following considerations are recommended.

1. NO SQL server port should be opened on the firewall. this will make your SQL server available to any host on the internet though windows authentication is in use. VPN is required here. only a VPN port is open to the internet. VPN can be implemented on the firewall, if possible. the external web server should access the database over a secured VPN channel.

2. windows authentication between IIS, ASP.NET and SQL is still necessary even over the VPN connection.

3. if external web users need to interact with the IIS and then the SQL, be aware injection attack, always transform users input into parameters and pass them to store procedures on SQL. no direct queries.

4. SQL server should only talk to specific servers, not all client computers.

5. run MBSA on IIS and SQL to identify missing patches and vulnerabilities. implement IISLockdown based on its role.

- Will the performance be horrible for external users without a database sitting closer to the web server?

again, it actually depends on the bandwidth available between the external IIS and your SQL over VPN (as mentioned above), and the transactions size. however, commonly, for a decent network and a few transactions per min. that should not be a problem.

hope it helps,
bbao
0
 

Author Closing Comment

by:looneybins
ID: 31598941
Thank you for your insight.  I was going to restrict the usage of a SQL port to just the IIS offsite host, but good point about the VPN.  That not only encrypts the data but keeps port scanners unaware of what services are available VIA the WAN port.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now