Solved

ASP.NET External Web/Database Application Hosting Security Model

Posted on 2009-07-01
2
684 Views
Last Modified: 2013-12-14
I have a design question.  

I would like to keep a website hosted offsite.  We will be using an internal application that hits the database via windows authentication every day, while external users would be hitting it via the hosted external website.  Their changes would be added to the same database after some validation checks.  

My thought is to open up a port in the firewall to allow database access (SQL Server 2008) for the external web server  and have it access the database on our LAN.

- Would this be a viable security model? If not, how are applications like this usually deployed?
- Will the performance be horrible for external users without a database sitting closer to the web server?

Thanks!
0
Comment
Question by:looneybins
2 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 24808476
- Would this be a viable security model? If not, how are applications like this usually deployed?

it really depends on the application architecture of your external services and internal business. however, from the external web server to the internal SQL server through the firewall, the following considerations are recommended.

1. NO SQL server port should be opened on the firewall. this will make your SQL server available to any host on the internet though windows authentication is in use. VPN is required here. only a VPN port is open to the internet. VPN can be implemented on the firewall, if possible. the external web server should access the database over a secured VPN channel.

2. windows authentication between IIS, ASP.NET and SQL is still necessary even over the VPN connection.

3. if external web users need to interact with the IIS and then the SQL, be aware injection attack, always transform users input into parameters and pass them to store procedures on SQL. no direct queries.

4. SQL server should only talk to specific servers, not all client computers.

5. run MBSA on IIS and SQL to identify missing patches and vulnerabilities. implement IISLockdown based on its role.

- Will the performance be horrible for external users without a database sitting closer to the web server?

again, it actually depends on the bandwidth available between the external IIS and your SQL over VPN (as mentioned above), and the transactions size. however, commonly, for a decent network and a few transactions per min. that should not be a problem.

hope it helps,
bbao
0
 

Author Closing Comment

by:looneybins
ID: 31598941
Thank you for your insight.  I was going to restrict the usage of a SQL port to just the IIS offsite host, but good point about the VPN.  That not only encrypts the data but keeps port scanners unaware of what services are available VIA the WAN port.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question