Solved

Punching a hole in a firewall

Posted on 2014-03-24
2
856 Views
Last Modified: 2014-11-12
Hello All,

We have two programs that we want to give remote users access to.  Both programs are on a server inside our firewall in our building.  Both programs have Access as a front end and SQL as the backend.

The question are (and I hope I ask them correctly, this is WAY out of my area of knowledge), I want to punch holes in the firewall for specific IP addresses (our users) and only open port 1433.  Is this a viable idea?, Is this a huge security issue (I am under the impression that if you tell the firewall to only accept from specific IPs it is more secure, plus we are only opening port 1433)? Would we be better off putting the backends on Azure and just replicating the info from our server to Azure?

Any info is greatly appreciated!
0
Comment
Question by:alevin16
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39952385
As a whole from security perspective, we should not (or avoid) exposing the database server access directly to internet. It is not sound to make such high risk and "punch" the hole just for that server. Indeed you can layer it with VPN, NAC, static whitelisted host IP and have 2FA check on identity but having to remote DB is (to me) quite risky, even with dedicated leased line. Nonetheless, it will be good if we can have some proxy or jump server to front it and have such privileged activities monitored and reviewed by the security ops team where possible. There are solution that govern this path due to need for remote admin purposes. Better to re-visit and have some risk assessment for the intent as data leakage and mass malware infestion within the DC is not a good and easy situation to isolate and remediate (pardon for being conservative as a whole).

Also for DB server in Cloud, it still comes back to same challenge of the risk involved, such as loss of confidentiality, and integrity for data in transit, data at rest and data in use. Azure has security measures in place to bind identity but the question is how will the "outsourcing" risks on the mentioned be managed and remediated with the third party solution - good to find out more especially you housing enterprise data in the cloud.

Some security guideline and limitation from Microsoft on Azure to be aware as well. They did highlighted outbound 1433 (including  database-level firewall rules for the respective databases) and see also the best practice extracted to reduce the exposure.

Always use the latest updates: When connecting to your SQL Database, always use the most current version of tools and libraries to prevent security vulnerabilities. For more information about which tools and libraries are supported, see General Guidelines and Limitations (Windows Azure SQL Database).

Block inbound connections on TCP port 1433: Only outbound connections on TCP port 1433 are needed for applications to communicate with Windows Azure SQL Database. If inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.

Prevent injection vulnerabilities: To make sure that your applications do not have SQL injection vulnerabilities, use parameterized queries where possible. Also, be sure to review code thoroughly and run a penetration test before deploying your application.
0
 

Author Comment

by:alevin16
ID: 39953888
Thank you for this posting.  This is extremely informative!  I am going to do some research on what you suggested and see where it leads me.  Thank you again!
0

Featured Post

SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question