Re: Publish Sql on the internet

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mark Allison (marka_at_no.tinned.meat.mvps.org)
Date: 08/11/04 

Date: Wed, 11 Aug 2004 10:33:13 +0100

OK,

What you need to do is NOT allow connections into your LAN. Create a DMZ
and place the SQL Server there. Do not allow the DMZ to initiate
connections into the LAN. Only allow connections from the LAN TO the DMZ.

Do not allow SQL Server to connect to anything else on your network.
Remember, if this machine is compromised, you could be in trouble. On
the firewall, only open one port to the SQL Server, and make sure this
is not 1433. Make it a high port number such as 56378 (or whatever).
Ensure SQL Server is listening on this port.

This will put you out of range of port scanners that are only looking
for common ports such as 139, 1433, etc, however will not protect you
from someone scanning every port on your machine, but then there are
intrusion detection tools available to protect you from this.

Another way to do this is to use a VPN tunnel from the client on the
internet, through a VPN server in a DMZ on your corporate network, and
then you can use the entire LAN. This might be easier to set up and
configure, then again it might not.

Whatever you do, do not allow direct connections from the public
internet, unencrypted into your LAN. 

--
Mark Allison, SQL Server MVP
http://www.markallison.co.uk
Looking for a SQL Server replication book?
http://www.nwsu.com/0974973602.html
Tomer wrote:
> Hi,
> 
> First thing, thanks alot for the info! I know that this is a problematic
> issue in security, but I need to connect a pocket pc device with a gprs
> modem directly to the sql server, and I'd rather not use a web service
> application.
>

Relevant Pages

  • Re: security question
    ... i.e. your SQL Server should not be in the LAN if it is being ... accessed by a web server in the DMZ. ... Mark Allison, SQL Server MVP ... stan wrote: ...
    (microsoft.public.sqlserver.server)
  • Re: Publish Sql on the internet
    ... > What you need to do is NOT allow connections into your LAN. ... Create a DMZ ... > Do not allow SQL Server to connect to anything else on your network. ...
    (microsoft.public.sqlserver.server)
  • Re: Use datasource behind a dmz?
    ... The DMZ is not the Internet and is not directly accessable to the ... > thourghly protected as the LAN. ... >> then have access to my SQL server as well? ...
    (microsoft.public.sqlserver.server)
  • Re: Use datasource behind a dmz?
    ... The DMZ is not the Internet and is not directly accessable to the ... > thourghly protected as the LAN. ... >> then have access to my SQL server as well? ...
    (microsoft.public.isa)
  • Re: DMZ design
    ... Put the backend servers into the DMZ. ... > the LAN to reach the Mail server in the DMZ, ... that no connections can be initiated *from* DMZ *to* LAN. ...
    (comp.security.firewalls)