Solved: How can we secure inside SQL Server from Public Network

Kuldeep singh · ‎10-12-2012

Hi Experts,

This is Network Diagram only for reference :

Actual Problem related to SQL SERVER security, I am searching solution

for same last 2 years but i did not find out. How can i secure through

Router or Switch End. Database is very important thing for any company

as you know and there are many problems which is happening with

Database like DB Hack, SQL Injection, unknown modification , etc.

Plz resolve given below Qustions->

1. is there any technique to Encrypt the ip address of SQL Server (172.25.170.50) ?

2. Outside Public ip can not hack and search inside SQL Server. how to configure ?

3. If any other method , plz suggest me

4. How to check which ip access to which ip address in Network

Plz provide me commands to monitoring, for ex,

a) Any inside SQL Client (172.25.170.44) access

SQL Server (172.25.170.50).

John Blakley · ‎10-12-2012

Kuldeep,

1. is there any technique to Encrypt the ip address of SQL Server (172.25.170.50) ?

You cannot encrypt the address of the sql server, but instead you can encrypt the data that's flowing to it. There are such techniques such as encrypting the data from your frontend to the sql server, but I'm not 100% certain if that's what you're asking. As a side note, I would not be able to help you do the above, but I know that it can be done in a point-to-point fashion via Windows server if that's what you're running.

2. Outside Public ip can not hack and search inside SQL Server. how to configure ?

This is going to generally be an application issue. Most sql server hacks have been sql injections due to lax security, input validation, etc. You need to make sure that you have the proper input validations in place and this wouldn't have anything to do with routers/switches in your network. You need to keep in mind that once you put a service out on the internet that has to be publically accessible, it can become a target.

3. If any other method , plz suggest me

If you're in a Windows environment, the biggest things to remember are:

1.) Patches, patches, patches

2.) Maybe place an IDS between your firewall and sql server for any suspicious traffic to be dropped.

3.) Double check your source code of the frontend application.

4. How to check which ip access to which ip address in Network
    Plz provide me commands to monitoring, for ex,
    a) Any inside SQL Client (172.25.170.44)  access
      SQL Server (172.25.170.50).
    b) Any user1 (172.25.170.2) send data
       through FTP to user2 (172.25.170.3)
    c) Suppose any user1(172.25.170.2) access other at own PC
        through "// 172.25.170.3"

You could, in theory, run netflow and keep track of internal hosts that are accessing the server, but they'd have to cross some boundary. If you have your hosts on the same subnet, you wouldn't be routing and it would be a direct connection between these hosts. That means it becomes an application logging issue. One thing that you could do is readdress your users/servers to not be on the same subnet (which from your address questions above it seems like they are). If you do this, your hosts would have to route to the server subnet and then you'd be able to use netflow and keep a database (Solarwinds Orion) of connections.

HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-12-2012

Kuldeep,

1. is there any technique to Encrypt the ip address of SQL Server (172.25.170.50) ?

You cannot encrypt the address of the sql server, but instead you can encrypt the data that's flowing to it. There are such techniques such as encrypting the data from your frontend to the sql server, but I'm not 100% certain if that's what you're asking. As a side note, I would not be able to help you do the above, but I know that it can be done in a point-to-point fashion via Windows server if that's what you're running.

2. Outside Public ip can not hack and search inside SQL Server. how to configure ?

This is going to generally be an application issue. Most sql server hacks have been sql injections due to lax security, input validation, etc. You need to make sure that you have the proper input validations in place and this wouldn't have anything to do with routers/switches in your network. You need to keep in mind that once you put a service out on the internet that has to be publically accessible, it can become a target.

3. If any other method , plz suggest me

If you're in a Windows environment, the biggest things to remember are:

1.) Patches, patches, patches

2.) Maybe place an IDS between your firewall and sql server for any suspicious traffic to be dropped.

3.) Double check your source code of the frontend application.

4. How to check which ip access to which ip address in Network
    Plz provide me commands to monitoring, for ex,
    a) Any inside SQL Client (172.25.170.44)  access
      SQL Server (172.25.170.50).
    b) Any user1 (172.25.170.2) send data
       through FTP to user2 (172.25.170.3)
    c) Suppose any user1(172.25.170.2) access other at own PC
        through "// 172.25.170.3"

You could, in theory, run netflow and keep track of internal hosts that are accessing the server, but they'd have to cross some boundary. If you have your hosts on the same subnet, you wouldn't be routing and it would be a direct connection between these hosts. That means it becomes an application logging issue. One thing that you could do is readdress your users/servers to not be on the same subnet (which from your address questions above it seems like they are). If you do this, your hosts would have to route to the server subnet and then you'd be able to use netflow and keep a database (Solarwinds Orion) of connections.

HTH,

John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Kuldeep singh · ‎10-14-2012

anybody there.......................

paolo bevilacqua · ‎10-14-2012

You have been answered above already. If you are not happy with answers here, hire a professional network engineer.