April 9, 2009 at 7:49 am
I have a SQL 2005 server in a hosted environment. It runs various internal applications (written in-house) that are only accessed by users via the Citrix infrastructure. Because of this I believe the server is secure to outside hackers.
However it has been suggested that to cut costs we also allow some of our web applications (with SQL backends) onto the same server. Before I do this I want to ensure that we can do this securely.
If a web application is hacked and a link to the SQL server discovered is it reasonable to assume they would be able to see anything on the SQL server ?
Is it a reasonable request to the business that any web application would need appropriate PEN testing before release onto my SQL server ?
Any thoughts ?
April 9, 2009 at 8:09 am
Hi Simon,
How is your network configured? Where is the web server and where is the SQL Server? Are they on the same subnet? Ideal recommendation ...
- Have firewall on your DMZ network to internet; with port 80/443(SSL) open.
- Have your WebServer in DMZ Zone.
- Have a firewall between your DMZ and your internal network; with port 1433 open.
- Have your SQL Server in your internal network.
Your web application should be put through testing for possible SQL Injection attacks so as not to comprise the database in question. Another thing to do for public web-sites is when the site returns an error make sure it doesn't return too much information back to the webserver. For example I had a case where the website returned the table name, column name and database name when ever error happened. Then the hacker was able to use that information to form a SQL Injection attack.
With the above configuration; them knowing you have SQL Server they will not be able to do any direct attacks against SQL Server but indirect via your website. So your website should be locked down to use minimal security account permissions (aka don't use sysadmin) and use only tools that can test your website for weaknesses.
Thanks.
Mohit.
Mohit K. Gupta, MCITP: Database Administrator (2005), My Blog, Twitter: @SQLCAN[/url].
Microsoft FTE - SQL Server PFE
* Some time its the search that counts, not the finding...
* I didn't think so, but if I was wrong, I was wrong. I'd rather do something, and make a mistake than be frightened and be doing nothing. :smooooth:[/font]
April 9, 2009 at 8:14 am
Thats pretty much the configuration I was aiming at. But with a different port open for SQL.
I was called to jusitfy the reason behind ensuring the application was secure. The sooner management realise that security is not automatic, but something that you have to ensure the easy my life will be !!
April 9, 2009 at 8:45 am
Simon Smith (4/9/2009)
I have a SQL 2005 server in a hosted environment. It runs various internal applications (written in-house) that are only accessed by users via the Citrix infrastructure. Because of this I believe the server is secure to outside hackers.However it has been suggested that to cut costs we also allow some of our web applications (with SQL backends) onto the same server. Before I do this I want to ensure that we can do this securely.
If a web application is hacked and a link to the SQL server discovered is it reasonable to assume they would be able to see anything on the SQL server ?
Is it a reasonable request to the business that any web application would need appropriate PEN testing before release onto my SQL server ?
Any thoughts ?
In general, we keep them separate. We have SQL Servers which service externally facing web applications and internal apps (like Citrix) aren't allowed to run on them.
With proper firewall rules, etc., you can ensure that the attacker will have to tunnel through the web server. However, you cannot guarantee, even with proper pen testing, that the application (and the web server platform) is 100% secure. Zero days happen. The risk is minimal, but there is some.
Also, if SQL Server is not kept up to date patch wise, you could be in trouble, even if proper permissions are in place. Case in point:
Security Researcher to Unveil Database Server Hack at Black Hat Europe[/url]
K. Brian Kelley
@kbriankelley
April 9, 2009 at 9:29 am
If the connection is discovered, the hacker will see what the connection can see. The apps should have user accounts with minimal rights, and not sysadmin or dbo access if it is not needed.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply