Solved

Punching a hole in a firewall

Posted on 2014-03-24
2
776 Views
Last Modified: 2014-11-12
Hello All,

We have two programs that we want to give remote users access to.  Both programs are on a server inside our firewall in our building.  Both programs have Access as a front end and SQL as the backend.

The question are (and I hope I ask them correctly, this is WAY out of my area of knowledge), I want to punch holes in the firewall for specific IP addresses (our users) and only open port 1433.  Is this a viable idea?, Is this a huge security issue (I am under the impression that if you tell the firewall to only accept from specific IPs it is more secure, plus we are only opening port 1433)? Would we be better off putting the backends on Azure and just replicating the info from our server to Azure?

Any info is greatly appreciated!
0
Comment
Question by:alevin16
2 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39952385
As a whole from security perspective, we should not (or avoid) exposing the database server access directly to internet. It is not sound to make such high risk and "punch" the hole just for that server. Indeed you can layer it with VPN, NAC, static whitelisted host IP and have 2FA check on identity but having to remote DB is (to me) quite risky, even with dedicated leased line. Nonetheless, it will be good if we can have some proxy or jump server to front it and have such privileged activities monitored and reviewed by the security ops team where possible. There are solution that govern this path due to need for remote admin purposes. Better to re-visit and have some risk assessment for the intent as data leakage and mass malware infestion within the DC is not a good and easy situation to isolate and remediate (pardon for being conservative as a whole).

Also for DB server in Cloud, it still comes back to same challenge of the risk involved, such as loss of confidentiality, and integrity for data in transit, data at rest and data in use. Azure has security measures in place to bind identity but the question is how will the "outsourcing" risks on the mentioned be managed and remediated with the third party solution - good to find out more especially you housing enterprise data in the cloud.

Some security guideline and limitation from Microsoft on Azure to be aware as well. They did highlighted outbound 1433 (including  database-level firewall rules for the respective databases) and see also the best practice extracted to reduce the exposure.

Always use the latest updates: When connecting to your SQL Database, always use the most current version of tools and libraries to prevent security vulnerabilities. For more information about which tools and libraries are supported, see General Guidelines and Limitations (Windows Azure SQL Database).

Block inbound connections on TCP port 1433: Only outbound connections on TCP port 1433 are needed for applications to communicate with Windows Azure SQL Database. If inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.

Prevent injection vulnerabilities: To make sure that your applications do not have SQL injection vulnerabilities, use parameterized queries where possible. Also, be sure to review code thoroughly and run a penetration test before deploying your application.
0
 

Author Comment

by:alevin16
ID: 39953888
Thank you for this posting.  This is extremely informative!  I am going to do some research on what you suggested and see where it leads me.  Thank you again!
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the market for a new backup solution for Windows Server 2016? Follow these guidelines to get the most bang for your buck.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question