Solved

ASP.NET External Web/Database Application Hosting Security Model

Posted on 2009-07-01
2
763 Views
Last Modified: 2013-12-14
I have a design question.  

I would like to keep a website hosted offsite.  We will be using an internal application that hits the database via windows authentication every day, while external users would be hitting it via the hosted external website.  Their changes would be added to the same database after some validation checks.  

My thought is to open up a port in the firewall to allow database access (SQL Server 2008) for the external web server  and have it access the database on our LAN.

- Would this be a viable security model? If not, how are applications like this usually deployed?
- Will the performance be horrible for external users without a database sitting closer to the web server?

Thanks!
0
Comment
Question by:looneybins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 24808476
- Would this be a viable security model? If not, how are applications like this usually deployed?

it really depends on the application architecture of your external services and internal business. however, from the external web server to the internal SQL server through the firewall, the following considerations are recommended.

1. NO SQL server port should be opened on the firewall. this will make your SQL server available to any host on the internet though windows authentication is in use. VPN is required here. only a VPN port is open to the internet. VPN can be implemented on the firewall, if possible. the external web server should access the database over a secured VPN channel.

2. windows authentication between IIS, ASP.NET and SQL is still necessary even over the VPN connection.

3. if external web users need to interact with the IIS and then the SQL, be aware injection attack, always transform users input into parameters and pass them to store procedures on SQL. no direct queries.

4. SQL server should only talk to specific servers, not all client computers.

5. run MBSA on IIS and SQL to identify missing patches and vulnerabilities. implement IISLockdown based on its role.

- Will the performance be horrible for external users without a database sitting closer to the web server?

again, it actually depends on the bandwidth available between the external IIS and your SQL over VPN (as mentioned above), and the transactions size. however, commonly, for a decent network and a few transactions per min. that should not be a problem.

hope it helps,
bbao
0
 

Author Closing Comment

by:looneybins
ID: 31598941
Thank you for your insight.  I was going to restrict the usage of a SQL port to just the IIS offsite host, but good point about the VPN.  That not only encrypts the data but keeps port scanners unaware of what services are available VIA the WAN port.
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question