I am giving some big kudos to Stephen Moore, Shane Castle and Nathaniel Hall who helped me sort through some issues I was having regarding web servers pulling dynamic data off of SQL servers. I decided I wanted to base a little article around this. Let’s set the scenario an outside system hits the DMZ based web server which in turn pulls information from an internal SQL box.
My initial thought was how can I secure this better than a one to one ACL that is only allowed across an SQL port? My goal was to find an alternative solution that provided better granularity.
Now this solution is predominately supported by the majority of IT personnel out there. Technically it is a sound solution that limits the exposure while not breaking the bank.
Another option that was discussed was the placement of a secondary SQL box into a separate DMZ context and have the web server pull information directly from that box.
This appears to me to gain limited security value while both increasing the cost and complexity of the solution. You will still need holes through your firewall, if your web server is compromised there is the additional step that the attacker will now need to gain access to the first SQL box before attacking the primary SQL box.
I think ultimately the best solution is insuring both your SQL box and web server are hardened. Deploy some for of an application firewall to try to stop SQL injections and change the default port from the standard port of 1433 to something different.
Additionally it would be beneficial to look at utilizing local authorization for authentication over SQL authentication. Finally, a look at utilizing some form of encryption for this data could be extremely beneficial a great free program to look at for this would be Stunnel.
Stunnel can be found at http://www.stunnel.org/ Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon’s code.
