Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security for SQL2000/Web Server connection

Status
Not open for further replies.
jrcanfer

jrcanfer

MIS
Aug 11, 2002
34
GB
I'm planning the deployment of a PIX 515 and I've got a concern with the way we have a web server talking to a SQL2000 backend.

Basically the web server will sit in the DMZ and will access a SQL2000 server sat inside the LAN. Now is it going to be secure enough? Assuming this webserver is the only machine with access over ports 1433 and 1434 to the SQL box from the DMZ, it will be fairly secure, but I'm still a little jumpy.

On another note, will the PIX provide enough security for the web server in the DMZ, or would it be advisable to run a local firewall?

Thanks!

James
 
Sort by date Sort by votes
HI.

This is a common scenario, many organizations work in a similar way, but there are several security risks with such design that should be examined.
Some risks are:
An attacker can access your SQL database via the web server - how strong is your authentication? how sensitive is the data on SQL server?
If an attacker can run code on the web server, it can attack the SQL server from there on.
A misconfiguration at the pix, can cause un-intended access from DMZ to inside network - the pix configuration is not straight forward and should be carefully planned.

> On another note, will the PIX provide enough security
The pix does not provide all the needed protection.
The web server should be hardened using MS white papers, and installing URLScan and IISLockdown on it , all the service packs and newer updates, etc..
For a linux web server or other - same idea.

The SQL server should also be protected with latest SP, strong SA password, etc...

If you have very sensitive data on the SQL server, or for other reason you want a more secure design, you can consider installing another SQL server in DMZ (can be on same machine as WEB if you do not expect a heavy load), implement some kind of script or manual update from internal to external SQL server for the public data only, and then do not allow any traffic from DMZ to INSIDE.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
580
XLNTech1
XLNTech1
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
194
mcisar
mcisar
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
787
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
175
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top