Hello,

We use Informix and MySQL on linux/unix to drive our web application.
SQL*Server is used only for backend enterprise applications within the
firewall. I am trying to get the management to use SQL*Server outside the
firewall. They tell me there are security issues with Microsoft products,
including SQL*Server, that make it vulnerable to attacks outside the
firewall. Can someone please point me to white papers/documentation that
suggests how SQL*Server can be used securely outside the firewall? I think
if I put SQL*server on it's own box and open it up only to the applications
on our web servers, we should be secure. However, I need hard evidence.

Thanks.
- Rajesh

Rajesh Kapur (rkapur@mpr.org) writes:
> We use Informix and MySQL on linux/unix to drive our web application.
> SQL*Server is used only for backend enterprise applications within the
> firewall. I am trying to get the management to use SQL*Server outside the
> firewall. They tell me there are security issues with Microsoft products,
> including SQL*Server, that make it vulnerable to attacks outside the
> firewall. Can someone please point me to white papers/documentation that
> suggests how SQL*Server can be used securely outside the firewall? I think
> if I put SQL*server on it's own box and open it up only to the
> applications on our web servers, we should be secure. However, I need
> hard evidence.

SQL*Server? This is no stinkin' Oracle product! :-)

Security issues is not my speciality, but my initial reaction is the
same as your management: don't do it. Not because Microsoft are more
insecure than anything else (save that MS platforms are more popular to
target, as they are very common). But I think it is bad idea to put
anything outside a firewall that does not have to be there.

Of course, you can equip the SQL Server machine with a software firewall
such as ZoneAlarm or Kerio so that you can control which machines
that can access SQL Server. But all software can have bugs or be
misconfigured, and this might be exploited. I recall that I was
running SQL Server on my home machine with a blank password, but thought
I was safe, since I was running ZoneAlarm. Boy, I was wrong, ZoneAlarm
let connects through on that port, and one day I had an intruder in
my SQL Server that tried to invoke tftp. (Which ZoneAlarm alerted me on.)



--
Erland Sommarskog, SQL Server MVP, sommar@algonet.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp

"Rajesh Kapur" <rkapur@mpr.org> wrote in message
news:401835ef$0$41283$a1866201@newsreader.visi.com ...
> Hello,
>
> We use Informix and MySQL on linux/unix to drive our web application.
> SQL*Server is used only for backend enterprise applications within the
> firewall. I am trying to get the management to use SQL*Server outside the
> firewall. They tell me there are security issues with Microsoft products,

Correction, there are security issues with ALL products.

If they are treating MS as somehow special (or rather Informix and MySQL as
immune from security issues) they are not doing their jobs.


> including SQL*Server, that make it vulnerable to attacks outside the
> firewall. Can someone please point me to white papers/documentation that
> suggests how SQL*Server can be used securely outside the firewall?

Why would you have it or any product outside a firewall? Seriously.
Properly you should have it in some sort of DMZ.

>I think
> if I put SQL*server on it's own box and open it up only to the
applications
> on our web servers, we should be secure. However, I need hard evidence.

With SP3a a lot of the old security flaws are fixed, but basically if you
can reach the box from the outside world and have no firewall, then you're
just begging for problems. And not just in SQL, but in the OS.

Put up SOMETHING with some sort of access control, even if it's a router
with an ACL list that blocks ALL traffic to the SQL box and only permits
Port 80 traffic to your web servers.


>
> Thanks.
> - Rajesh
>
>