topic Talking to SQL server from DMZ in Network Security

Talking to SQL server from DMZ

boschrexroth — Mon, 11 Mar 2019 09:37:40 GMT

I was able to get a web server that we have on our DMZ to communicate with my SQL server but I wanted to know if anyone knew why I needed to use gt 1024 in my access statement.

I orginialy tried to use

access-list DMZ extended permit tcp host 192.168.1.100 eq 1433 host 10.10.10.23 eq 1433

but had to change it to

access-list fromDMZ extended permit tcp host 192.168.1.100 gt 1024 host 10.10.10.23 eq 1433

in order for it to work.

Just trying to figure out why?

Any info would be helpful.

Thanks.

Re: Talking to SQL server from DMZ

sundar.palaniappan — Fri, 23 Feb 2007 21:01:08 GMT

Hi,

Here's an excerpt from the link below that should answer your query concerning the ports used by SQL client/server...

When the client establishes a TCP/IP connection, a three-way handshake is done. The client opens a source port and sends traffic to a destination port, which by default is 1433. The client source port in use is random, but is greater than 1024. By default, when an application requests a socket from the system for an outbound call, a port between the values of 1024 and 5000 is supplied.

http://support.microsoft.com/kb/287932

As you can see, the client always uses a source port in the range of 1024 to 5000 if you want to be more granular in the traffic allowed from host 192.168.1.100 you can configure the access-list as follows;

access-list fromDMZ extended permit tcp host 192.168.1.100 range 1024 5000 host 10.10.10.23 eq 1433

HTH

Sundar

Re: Talking to SQL server from DMZ

vitripat — Fri, 23 Feb 2007 21:04:07 GMT

Here is the reason-

"host 192.168.1.100 eq 1433" This portion in your first access-list defines the source IP, and source port from where connection will initiate. Now .. as the way TCP works, if a host initiates a connection, it the source port used to initiate the connection is always greated than 1024, because all ports lower than that are ports registered for specific services. This is the reason your connection never worked.

In the next ACL, following portion defines the source IP and source port-

"host 192.168.1.100 gt 1024", this is exactly as per the norms, hence the connection works !!

Ideally, your ACL should be like this-

access-list fromDMZ extended permit tcp host 192.168.1.100 host 10.10.10.23 eq 1433

You dont need to worry about the source port. All we need to take care about is the destination port.

I hope this explains.

Regards,

Vibhor.

Re: Talking to SQL server from DMZ

gary.sherry — Sat, 21 Jul 2007 08:39:08 GMT

the reason is needs the ports above 1024 is that SQL used dynamically allocated ports above 1024 for communication between a SQL Server and client. I belive you can change this to use predetermined prots and there are some KB articiles on the MS site that detail this.

Re: Talking to SQL server from DMZ

Jon Marshall — Sat, 21 Jul 2007 11:27:47 GMT

When a client which in your case is the web server talks to a server, the SQL server, the destination port is the service port on the server ie 1433 in this case which is SQL. However the client port is very rarely the same port number as this is not the way tcp/udp works.

The client generates a dynamic port number above 1024 to use for the communication. This is pretty much how all client/server communication takes place. So another example

client 192.168.5.2

server 172.16.10.1

server is running telnet service ie TCP/port 23.

On your client you typew "telnet 172.16.10.1". Your client genrates a random port number eg 5541 and sends a TCP SYN packet to the server, so

source 192.168.5.2 port 5541

destination 172.16.10.1 port 23

When servre responds it sends packet back

source 172.16.10.1 port 23

destintion 192.168.5.2 port 5541

etc...

HTH

Jon