Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASP.NET External Web/Database Application Hosting Security Model

Posted on 2009-07-01
2
Medium Priority
?
782 Views
Last Modified: 2013-12-14
I have a design question.  

I would like to keep a website hosted offsite.  We will be using an internal application that hits the database via windows authentication every day, while external users would be hitting it via the hosted external website.  Their changes would be added to the same database after some validation checks.  

My thought is to open up a port in the firewall to allow database access (SQL Server 2008) for the external web server  and have it access the database on our LAN.

- Would this be a viable security model? If not, how are applications like this usually deployed?
- Will the performance be horrible for external users without a database sitting closer to the web server?

Thanks!
0
Comment
Question by:looneybins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 2000 total points
ID: 24808476
- Would this be a viable security model? If not, how are applications like this usually deployed?

it really depends on the application architecture of your external services and internal business. however, from the external web server to the internal SQL server through the firewall, the following considerations are recommended.

1. NO SQL server port should be opened on the firewall. this will make your SQL server available to any host on the internet though windows authentication is in use. VPN is required here. only a VPN port is open to the internet. VPN can be implemented on the firewall, if possible. the external web server should access the database over a secured VPN channel.

2. windows authentication between IIS, ASP.NET and SQL is still necessary even over the VPN connection.

3. if external web users need to interact with the IIS and then the SQL, be aware injection attack, always transform users input into parameters and pass them to store procedures on SQL. no direct queries.

4. SQL server should only talk to specific servers, not all client computers.

5. run MBSA on IIS and SQL to identify missing patches and vulnerabilities. implement IISLockdown based on its role.

- Will the performance be horrible for external users without a database sitting closer to the web server?

again, it actually depends on the bandwidth available between the external IIS and your SQL over VPN (as mentioned above), and the transactions size. however, commonly, for a decent network and a few transactions per min. that should not be a problem.

hope it helps,
bbao
0
 

Author Closing Comment

by:looneybins
ID: 31598941
Thank you for your insight.  I was going to restrict the usage of a SQL port to just the IIS offsite host, but good point about the VPN.  That not only encrypts the data but keeps port scanners unaware of what services are available VIA the WAN port.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Make the most of your online learning experience.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question