?
Solved

Punching a hole in a firewall

Posted on 2014-03-24
2
Medium Priority
?
940 Views
Last Modified: 2014-11-12
Hello All,

We have two programs that we want to give remote users access to.  Both programs are on a server inside our firewall in our building.  Both programs have Access as a front end and SQL as the backend.

The question are (and I hope I ask them correctly, this is WAY out of my area of knowledge), I want to punch holes in the firewall for specific IP addresses (our users) and only open port 1433.  Is this a viable idea?, Is this a huge security issue (I am under the impression that if you tell the firewall to only accept from specific IPs it is more secure, plus we are only opening port 1433)? Would we be better off putting the backends on Azure and just replicating the info from our server to Azure?

Any info is greatly appreciated!
0
Comment
Question by:alevin16
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 39952385
As a whole from security perspective, we should not (or avoid) exposing the database server access directly to internet. It is not sound to make such high risk and "punch" the hole just for that server. Indeed you can layer it with VPN, NAC, static whitelisted host IP and have 2FA check on identity but having to remote DB is (to me) quite risky, even with dedicated leased line. Nonetheless, it will be good if we can have some proxy or jump server to front it and have such privileged activities monitored and reviewed by the security ops team where possible. There are solution that govern this path due to need for remote admin purposes. Better to re-visit and have some risk assessment for the intent as data leakage and mass malware infestion within the DC is not a good and easy situation to isolate and remediate (pardon for being conservative as a whole).

Also for DB server in Cloud, it still comes back to same challenge of the risk involved, such as loss of confidentiality, and integrity for data in transit, data at rest and data in use. Azure has security measures in place to bind identity but the question is how will the "outsourcing" risks on the mentioned be managed and remediated with the third party solution - good to find out more especially you housing enterprise data in the cloud.

Some security guideline and limitation from Microsoft on Azure to be aware as well. They did highlighted outbound 1433 (including  database-level firewall rules for the respective databases) and see also the best practice extracted to reduce the exposure.

Always use the latest updates: When connecting to your SQL Database, always use the most current version of tools and libraries to prevent security vulnerabilities. For more information about which tools and libraries are supported, see General Guidelines and Limitations (Windows Azure SQL Database).

Block inbound connections on TCP port 1433: Only outbound connections on TCP port 1433 are needed for applications to communicate with Windows Azure SQL Database. If inbound communications are not needed by any other applications on that computer, ensure that your firewall continues to block inbound connections on TCP port 1433.

Prevent injection vulnerabilities: To make sure that your applications do not have SQL injection vulnerabilities, use parameterized queries where possible. Also, be sure to review code thoroughly and run a penetration test before deploying your application.
0
 

Author Comment

by:alevin16
ID: 39953888
Thank you for this posting.  This is extremely informative!  I am going to do some research on what you suggested and see where it leads me.  Thank you again!
0

Featured Post

Learn by Doing. Anytime. Anywhere.

Do you like to learn by doing?
Our labs and exercises give you the chance to do just that: Learn by performing actions on real environments.

Hands-on, scenario-based labs give you experience on real environments provided by us so you don't have to worry about breaking anything.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimized for private cloud infrastructures and datacenters, Nano Server is minimalistic, yet super-efficient, OS for services such as Hyper-V and Hyper-V cluster. Learn how you can easily deploy Nano Server and unlock its power!
This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question