While random blocking of ports by ISP’s could lead to a severely crippled Internet I do not believe that it is in the best interests of most users (private or business) to leave all ports open to all users. As an example of this lets take a look at the “MSBlast” worm and the damage it caused the IT community. The while no one can deny that Microsoft had a bug in the code that needed to be patched we can also see that 1) a fix was available and that 2) many servers were not patched and were left open to infection due to the ports used by SQL server being left open to the Internet.
Now lets consider what would have happened if say 70% of the Internet routers and firewalls as whole simply dropped traffic for that port. Sure the worm would have still spread and done harm but how much less damage would it have done? How many millions of dollars would have been saved?
Look at the SPAM problem many experts agree that a large amount of it is coming from “rouge” SMTP servers often running on home PC’s that the owner is unaware of. If many ISP’s blocked home users machines from making outbound connections as SMTP servers it could block much of the SPAM we see every day.
Yes there are issues, yes legitimate traffic should be allowed across the networks.
But I think we as IT professionals have to assess:
- Does this service need to be open to the public?
- What is the possible impact to the business if this service is exposed?
- Is this service secure?
- Is there a better way to accomplish the same work or task?
In the case of a SQL Server I see almost no case where the ports should be left open.
By default SQL server transmits plain text data. This means that it is trivial to hack.
Here are some options for connection:
Remote administration:
- VPN
- Remote Desktop
- VNC
- A secured web site with custom pages
Server to server data exchange:
- VPN between sites
Remote Clients such as applications:
- Web Services interface
- Web pages called “Inside” an application
- Custom binary protocol with encryption and authentication
- VPN tunnel to the server
So given that list of options, considering how many of them should take less than 20 minutes to implement (Like remote desktop or VNC) I have to ask why you would ever want to risk the valuable data and resources of that SQL server?
After all your clients and or your boss may not understand the problems but if you don’t put up a good set of security methods and practices and the network or data is compromised it may well be your job and your future credibility that are one the line. I for one would rather not be in the hot seat if I can avoid it. I would say it’s time well spent.
Denny Figuerres
©June, 2004
