marrowyung
asked on
install cerification on SQL server
hi,
for any SQL server install SSL security , under what situation your customer will do it ? usually company I work with install SSL only in web server login page.
to protect DB backup from getting restore to other DB ? so using TDE ? but TDE must use SSL cerification from a known provider like symantec ?
for any SQL server install SSL security , under what situation your customer will do it ? usually company I work with install SSL only in web server login page.
to protect DB backup from getting restore to other DB ? so using TDE ? but TDE must use SSL cerification from a known provider like symantec ?
ASKER
" If you're sure that no stranger can access that part of network then you won't need SSL.'
hi, this is one of the audit requirement.
"I would say that's more requested when your SQL Server database is accessible from the Internet directly."
sure.
but what is it is from web tire to SQL server? and need encryption in transport tire, network tire?
should be install SSL on web server for each page need login and password, right? not install on SQL server level, right ?
hi, this is one of the audit requirement.
"I would say that's more requested when your SQL Server database is accessible from the Internet directly."
sure.
but what is it is from web tire to SQL server? and need encryption in transport tire, network tire?
should be install SSL on web server for each page need login and password, right? not install on SQL server level, right ?
Is the web server in the same network as SQL Server machine?
Is the web server already configured to use SSL?
If affirmative for both questions then you don't need SSL for SQL Server.
Is the web server already configured to use SSL?
If affirmative for both questions then you don't need SSL for SQL Server.
ASKER
"Is the web server in the same network as SQL Server machine?'
it doesn't matter right?
"Is the web server already configured to use SSL?"
someone insist they don't want to install in web server but SQL server.
it doesn't matter right?
"Is the web server already configured to use SSL?"
someone insist they don't want to install in web server but SQL server.
it doesn't matter right?Yes it matters. Otherwise why would I ask a question that doesn't matter?
someone insist they don't want to install in web server but SQL server.Who's that someone? Web servers are the servers that are more exposed to the outside world so they are in the first line to be attacked. If somebody is telling you that is because isn't making a good job. You can protect both servers but if you'll choose only one to have SSL then it must be the Web Server rather than SQL Server machine.
ASKER
"Yes it matters. Otherwise why would I ask a question that doesn't matter?'
From my point of view, as I come from e-commerce industry, usually web server don't join domain, SQL server is standalone, and network in between is communicate even in diff subnet , and it doesn't matter for us.
so in this case, by your defination, it is NOT in the same network, right?
and then .. ?
"You can protect both servers but if you'll choose only one to have SSL then it must be the Web Server rather than SQL Server machine."
ok, under what situtation should we protect both if SQL server in trust Zone and web server in DMZ ?
I thought SSL on SQL, from technical point of view, is when feature like TDE is enabled on SQL server, agree?
From my point of view, as I come from e-commerce industry, usually web server don't join domain, SQL server is standalone, and network in between is communicate even in diff subnet , and it doesn't matter for us.
so in this case, by your defination, it is NOT in the same network, right?
and then .. ?
"You can protect both servers but if you'll choose only one to have SSL then it must be the Web Server rather than SQL Server machine."
ok, under what situtation should we protect both if SQL server in trust Zone and web server in DMZ ?
I thought SSL on SQL, from technical point of view, is when feature like TDE is enabled on SQL server, agree?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"Ok. Your are literally correct. My mistake was to use a general "network" word. What I want to mean is if they are in the same data center or do you need to cross any external network to get to SQL Server database?"
same network, you are worrying about if across DC and use internet, security has risk ? usually company use VPN for it and this is not an issue at all, right?
"When you really want to be picky and add one more layer of protection."
for the web server or DB? why one more ? what is it for ?
" None of them depends on each other even you can configure both if you wish to."
you are talking about WEB SSL and DB TDE together, right?
"No. SSL it says that you're receiving a trustable network package"
none trustable network so we need to install SSL, right?
same network, you are worrying about if across DC and use internet, security has risk ? usually company use VPN for it and this is not an issue at all, right?
"When you really want to be picky and add one more layer of protection."
for the web server or DB? why one more ? what is it for ?
" None of them depends on each other even you can configure both if you wish to."
you are talking about WEB SSL and DB TDE together, right?
"No. SSL it says that you're receiving a trustable network package"
none trustable network so we need to install SSL, right?
ASKER
hi,
we just have this meeting now and I know more on what is going on about the finding on our system.
1) it is from the security scanning report that port 1433 has come out as a risk, but this is a high level report by a security scanner, the PM show send us this report don't even know what it means. :):)
but the concern is, this scan report is from a internal network, not from an external network.
not making much sense as the scanner should scan from internet to see what is the risk from internet, right?
2) They are arguing that from internal network , can scan port 1433 and no encryption is enforced. one guys say when client connect via 1433, the connection will be encrypted, and therefore it is the SQL server don't encrypt the connection between web/application server to SQL server.
so this is the point as the report show up a lot of risk of the same description.
I don't think it make sense, right?
we just have this meeting now and I know more on what is going on about the finding on our system.
1) it is from the security scanning report that port 1433 has come out as a risk, but this is a high level report by a security scanner, the PM show send us this report don't even know what it means. :):)
but the concern is, this scan report is from a internal network, not from an external network.
not making much sense as the scanner should scan from internet to see what is the risk from internet, right?
2) They are arguing that from internal network , can scan port 1433 and no encryption is enforced. one guys say when client connect via 1433, the connection will be encrypted, and therefore it is the SQL server don't encrypt the connection between web/application server to SQL server.
so this is the point as the report show up a lot of risk of the same description.
I don't think it make sense, right?
usually company use VPN for it and this is not an issue at all, right?VPNs should be already secure.
why one more ? what is it for ?That's the question you need to ask for those ones that want SSL enable for SQL Server.
none trustable network so we need to install SSL, right?So your company network isn't trustable for you?
it is from the security scanning report that port 1433 has come out as a risk, but this is a high level report by a security scannerIf they are worried about port 1433 then what you need to do is to change to port number so nobody will know which one SQL Server is using.
not making much sense as the scanner should scan from internet to see what is the risk from internet, right?If you use a scan to scan the internet then you can be accused as hacker. Only hackers scan internet for flaws so they can attack.
one guys say when client connect via 1433, the connection will be encrypted, and therefore it is the SQL server don't encrypt the connection between web/application server to SQL server.I don't think that's true. Applications can encrypt their connections. Is only a parameter in the connection string to enable it.
ASKER
"So your company network isn't trustable for you?
"
no. I think thinking why they scan from internal network and say port 1433 is not encryption.
"If they are worried about port 1433 then what you need to do is to change to port number so nobody will know which one SQL Server is using."
no, they are saying connectio n to port 1433 is not encrypted so reported it, if we move to other port, that port still not encrypted as well.
"If you use a scan to scan the internet then you can be accused as hacker. Only hackers scan internet for flaws so they can attack.
"
yes, it is the case for e-commerce company as what they are worrying what is the attack from hacker, this make sense.
now, why this company (a new company) scan from internal network ? most likely they think internal hacker is the most dangerous one as firewall don't block that.
"I don't think that's true. Applications can encrypt their connections. Is only a parameter in the connection string to enable it."
how about this?
1) https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
2) https://support.microsoft.com/en-hk/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-microsoft-management-console
3) https://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-server/
so right now the problem is, auditor scan from internal network and see 1433 port is not encrypted, how should we do techincally?
"
no. I think thinking why they scan from internal network and say port 1433 is not encryption.
"If they are worried about port 1433 then what you need to do is to change to port number so nobody will know which one SQL Server is using."
no, they are saying connectio n to port 1433 is not encrypted so reported it, if we move to other port, that port still not encrypted as well.
"If you use a scan to scan the internet then you can be accused as hacker. Only hackers scan internet for flaws so they can attack.
"
yes, it is the case for e-commerce company as what they are worrying what is the attack from hacker, this make sense.
now, why this company (a new company) scan from internal network ? most likely they think internal hacker is the most dangerous one as firewall don't block that.
"I don't think that's true. Applications can encrypt their connections. Is only a parameter in the connection string to enable it."
how about this?
1) https://technet.microsoft.com/en-us/library/ms189067(v=sql.105).aspx
2) https://support.microsoft.com/en-hk/help/316898/how-to-enable-ssl-encryption-for-an-instance-of-sql-server-by-using-microsoft-management-console
3) https://www.mssqltips.com/sqlservertip/3299/how-to-configure-ssl-encryption-in-sql-server/
so right now the problem is, auditor scan from internal network and see 1433 port is not encrypted, how should we do techincally?
ASKER
What do you need?
To know about SSL or to know how to configure SQL Server to work with SSL?
To know about SSL or to know how to configure SQL Server to work with SSL?
ASKER
I need to know if it is really vaild to have SSL on 1433 port, I never heard about that.
but I think the link I search out is about it can be either web/application server ask for SSL connection OR SQL server start SSL encryption, can't be both, right ?
and if SQL server really can enable ssl on port 1433, then how can i encrypt that ?
but I think the link I search out is about it can be either web/application server ask for SSL connection OR SQL server start SSL encryption, can't be both, right ?
and if SQL server really can enable ssl on port 1433, then how can i encrypt that ?
need to know if it is really vaild to have SSL on 1433 port, I never heard about that.There's no rule that says it's valid or not. Technically you can do it. It's up to you if you want this configuration or not.
but I think the link I search out is about it can be either web/application server ask for SSL connection OR SQL server start SSL encryption, can't be both, right ?Yes, both can be used. As I said before, is up to you if you want the extra security layer (SQL Server with SSL).
and if SQL server really can enable ssl on port 1433, then how can i encrypt that ?That's what SSL does. It encrypts the connection so it will make it more secure.
ASKER
did you implement SSL on SQL server port 1433 before? no diff from installing ssl on web server?
never do this.
so the link I sent you work ?
never do this.
so the link I sent you work ?
I do not need to implement SSL in our SQL Server instances. We just have them well protected in a backend network behind firewalls. Only our web servers have SSL implemented because they're exposed to internet.
so the link I sent you work ?Why do you think they wouldn't work? Some are from Microsoft.
ASKER
"We just have them well protected in a backend network behind firewalls. Only our web servers have SSL implemented because they're exposed to internet."
exactly what I thought, I only do this before.
one thing, can be a very strong reason, why we prefer to install SSL on web over SQL server, can be a good reason to justify !
SQL server is not good on encrypting based on SSL ? but TDE all use SSL cert. right?
exactly what I thought, I only do this before.
one thing, can be a very strong reason, why we prefer to install SSL on web over SQL server, can be a good reason to justify !
SQL server is not good on encrypting based on SSL ? but TDE all use SSL cert. right?
one thing, can be a very strong reason, why we prefer to install SSL on web over SQL server, can be a good reason to justify !As I said before, I usually set the SSL when a server is exposed to internet. Usually our SQL Server machines aren't so we just need to use the SSL for web servers.
SQL server is not good on encrypting based on SSL ? but TDE all use SSL cert. right?SSL encrypts the network packages. TDE encrypts the data. You can have both but none is dependent of each other. Don't forget that any lawyer of security that you implement has impact in the performance. So if you're going for both solutions (TDE and SSL) you'll face some performance issues. TDE, SSL and FW will all delay the database requests since traffic need to be controlled and decrypted as well the data. So put all in a balance and check if you need that much layers of securities.
ASKER
"As I said before, I usually set the SSL when a server is exposed to internet. Usually our SQL Server machines aren't so we just need to use the SSL for web servers.
'
ok, actually can't see why auditor don't see this before but what I can say is, we already make this risk change from high to low. so at this moment this case can hold for a while until all set.
"Don't forget that any lawyer of security that you implement has impact in the performance.
knew that but should be less when compare to the whole picture, right ?
"FW will all delay the database requests "
what is FW ?
'
ok, actually can't see why auditor don't see this before but what I can say is, we already make this risk change from high to low. so at this moment this case can hold for a while until all set.
"Don't forget that any lawyer of security that you implement has impact in the performance.
knew that but should be less when compare to the whole picture, right ?
"FW will all delay the database requests "
what is FW ?
Ah, not lawyer ofc. I meant to say layer :)
FW = Firewall
FW = Firewall
ASKER
tks.
I would say that's more requested when your SQL Server database is accessible from the Internet directly.