Solved

Punching a hole in a firewall

Posted on 2014-03-24
2
741 Views
Last Modified: 2014-11-12
Hello All,

We have two programs that we want to give remote users access to.  Both programs are on a server inside our firewall in our building.  Both programs have Access as a front end and SQL as the backend.

The question are (and I hope I ask them correctly, this is WAY out of my area of knowledge), I want to punch holes in the firewall for specific IP addresses (our users) and only open port 1433.  Is this a viable idea?, Is this a huge security issue (I am under the impression that if you tell the firewall to only accept from specific IPs it is more secure, plus we are only opening port 1433)? Would we be better off putting the backends on Azure and just replicating the info from our server to Azure?

Any info is greatly appreciated!
0
Comment
Question by:alevin16
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39952385
As a whole from security perspective, we should not (or avoid) exposing the database server access directly to internet. It is not sound to make such high risk and "punch" the hole just for that server. Indeed you can layer it with VPN, NAC, static whitelisted host IP and have 2FA check on identity but having to remote DB is (to me) quite risky, even with dedicated leased line. Nonetheless, it will be good if we can have some proxy or jump server to front it and have such privileged activities monitored and reviewed by the security ops team where possible. There are solution that govern this path due to need for remote admin purposes. Better to re-visit and have some risk assessment for the intent as data leakage and mass malware infestion within the DC is not a good and easy situation to isolate and remediate (pardon for being conservative as a whole).

Also for DB server in Cloud, it still comes back to same challenge of the risk involved, such as loss of confidentiality, and integrity for data in transit, data at rest and data in use. Azure has security measures in place to bind identity but the question is how will the "outsourcing" risks on the mentioned be managed and remediated with the third party solution - good to find out more especially you housing enterprise data in the cloud.

Some security guideline and limitation from Microsoft on Azure to be aware as well. They did highlighted outbound 1433 (including  database-level firewall rules for the respective databases) and see also the best practice extracted to reduce the exposure.

Always use the latest updates: When connecting to your SQL Database, always use the most current version of tools and libraries to prevent security vulnerabilities. For more information about which tools and libraries are supported, see General Guidelines and Limitations (Windows Azure SQL Database).

Block inbound connections on TCP port 1433: Only outbound connections on TCP port 1433 are needed for applications to communicate with Windows Azure SQL Database. If inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.

Prevent injection vulnerabilities: To make sure that your applications do not have SQL injection vulnerabilities, use parameterized queries where possible. Also, be sure to review code thoroughly and run a penetration test before deploying your application.
0
 

Author Comment

by:alevin16
ID: 39953888
Thank you for this posting.  This is extremely informative!  I am going to do some research on what you suggested and see where it leads me.  Thank you again!
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now