Home Forums SQL Server 2008 Security (SS2K8) Linked servers over the internet RE: Linked servers over the internet

  • August 22, 2010 at 6:25 pm

    #1210184

    Ninja's_RGR'us (8/22/2010)

    If a nut job like me were to send you a request to expose your precious sql server... and Main ERP DB to the internet, what would be your preffered setup to ensure maximum security and super fast connection (assuming you can't kill me and make this go away) :-D?

    Security in a number of ways: first I'd insist that you use a particular username with capabilities that I ca see are the minimum for what you are trying to do (I think that's read only access to a view which contains only the columns you need). Second I would put a firewall between me and the internet that allowed your machine (identified by a set of IP addresses) to connect only to a specific IP address behind the firewall, and only on the appropriate port (whatever port my DB provides for remote access), using a key-protected VPN. Third I would insist that you undertake not to disclose the username, the password, or the VPN key (all specified by me) to any third party (like another one of your customers).

    For performance, I'd want plenty of bandwidth between firewalls and servers and plenty of bandwith from firewall to internet, and good high performance firewalls.

    The trouble is that I'm not sure how scalable this is. I've done it with a few dozen remote machines, not more. You talk about 3500 customers who should (if they care about security) be people like me, so you would end up not only configuring 3500 sets of access data in the firewall at your end (for a PIX, if it could handle that much, that would be something around 21000 or 28000 - can't remember the number needed - lines of config data) but also 3500 remote security mappings in your server each mapping your local user to a different username and password and I'm not sure what the performance of SQLServer would be in handling all that security (trusted connection) data (or how you would do it all in about 4 weeks, if you don't change the deadline); I don't know what sort of firewall can cope with that many VPNs in its configuration, but of course the load can be shared between multiple firewalls by doing some subnetting of the external addresses, so in principle there's no problem there, but (since all the VPN target addresses and keys are different) there may be a problem entering all that data in your timescale. One nasty little issue that may or may not crop up is address clashes - will there be address space clashes between your network and some of the customer networks (this is quite probable if all are using local address space behind firewalls and the machines involved don't have global addresses); if so you need to give your server one or more extra IP addresses and use the subnetting (maybe with multiple firewalls) at your end to eliminate the address clashes.

    And of course, sitting where you are, I'd make sure that the central firewall configuration didn't allow inward connections from the remote sites (unless you need that too for something else).

    Tom