Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Punching a hole in a firewall

Posted on 2014-03-24
2
Medium Priority
?
1,016 Views
Last Modified: 2014-11-12
Hello All,

We have two programs that we want to give remote users access to.  Both programs are on a server inside our firewall in our building.  Both programs have Access as a front end and SQL as the backend.

The question are (and I hope I ask them correctly, this is WAY out of my area of knowledge), I want to punch holes in the firewall for specific IP addresses (our users) and only open port 1433.  Is this a viable idea?, Is this a huge security issue (I am under the impression that if you tell the firewall to only accept from specific IPs it is more secure, plus we are only opening port 1433)? Would we be better off putting the backends on Azure and just replicating the info from our server to Azure?

Any info is greatly appreciated!
0
Comment
Question by:alevin16
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39952385
As a whole from security perspective, we should not (or avoid) exposing the database server access directly to internet. It is not sound to make such high risk and "punch" the hole just for that server. Indeed you can layer it with VPN, NAC, static whitelisted host IP and have 2FA check on identity but having to remote DB is (to me) quite risky, even with dedicated leased line. Nonetheless, it will be good if we can have some proxy or jump server to front it and have such privileged activities monitored and reviewed by the security ops team where possible. There are solution that govern this path due to need for remote admin purposes. Better to re-visit and have some risk assessment for the intent as data leakage and mass malware infestion within the DC is not a good and easy situation to isolate and remediate (pardon for being conservative as a whole).

Also for DB server in Cloud, it still comes back to same challenge of the risk involved, such as loss of confidentiality, and integrity for data in transit, data at rest and data in use. Azure has security measures in place to bind identity but the question is how will the "outsourcing" risks on the mentioned be managed and remediated with the third party solution - good to find out more especially you housing enterprise data in the cloud.

Some security guideline and limitation from Microsoft on Azure to be aware as well. They did highlighted outbound 1433 (including  database-level firewall rules for the respective databases) and see also the best practice extracted to reduce the exposure.

Always use the latest updates: When connecting to your SQL Database, always use the most current version of tools and libraries to prevent security vulnerabilities. For more information about which tools and libraries are supported, see General Guidelines and Limitations (Windows Azure SQL Database).

Block inbound connections on TCP port 1433: Only outbound connections on TCP port 1433 are needed for applications to communicate with Windows Azure SQL Database. If inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.

Prevent injection vulnerabilities: To make sure that your applications do not have SQL injection vulnerabilities, use parameterized queries where possible. Also, be sure to review code thoroughly and run a penetration test before deploying your application.
0
 

Author Comment

by:alevin16
ID: 39953888
Thank you for this posting.  This is extremely informative!  I am going to do some research on what you suggested and see where it leads me.  Thank you again!
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Windocks is an independent port of Docker's open source to Windows.   This article introduces the use of SQL Server in containers, with integrated support of SQL Server database cloning.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question