December 21, 2011 at 3:52 am
Is anyone doing this? I am attempting to restrict access per instance (multiple instances per SQL Server) so that only a specific source IP or hostname can access their assigned instance. Environment is Windows 2008 R2 64bit with SQL Server 2008 R2 64bit - all virtual. Restricting at the physical layer via firewalling and routing is not an option so I have to find another way - probably something that looks at the hostname of the inbound connection request and filters based on that (and either accepts or rejects). I don't know of any way to do this at the SQL level so I'm hoping there is someone out there smarter than me who's already doing this and knows of a way to make it happen. Any assistance is appreciated. Thanks!
December 21, 2011 at 6:58 am
No I saw that and it looks like it really handles more login triggers and blacklisting. I'm trying to do the opposite and allow specific IP address(es) and block everything else (whitelisting) without having to be specific with blacklisting everything and without having to have a separate database to do it. Plus I'm not a DBA by practice (accidental by force) and do not have one available to assist me with using that kind of complex TSQL piece. I'll be very surprised if there isn't a better way to do this.
December 21, 2011 at 7:06 am
Yeah I wish I could but the firewalling in vCloud isn't robust enough to do it. Plus I have NAT'ing in between so the traffic passes from one vLAN to the primary network then on to the SQL vLAN - so by IP is probably going to be difficult and it will most likely need to be filtered by source hostname. Yes I know I'm making it difficult on myself but it is out of necessity for security so it is by design that the platform is built that way. I may just have to leave it as-is and wait to see if there are any new security features in 2012.
December 21, 2011 at 7:08 am
Chris Metzger (12/21/2011)
No I saw that and it looks like it really handles more login triggers and blacklisting. I'm trying to do the opposite and allow specific IP address(es) and block everything else (whitelisting) without having to be specific with blacklisting everything and without having to have a separate database to do it. Plus I'm not a DBA by practice (accidental by force) and do not have one available to assist me with using that kind of complex TSQL piece. I'll be very surprised if there isn't a better way to do this.
Head an shoulders above making a SQL Server firewall. Put a piece of hardware in that's designed to do the job as this takes the emphasis off of SQL .
December 21, 2011 at 7:27 am
MysteryJimbo (12/21/2011)
Chris Metzger (12/21/2011)
No I saw that and it looks like it really handles more login triggers and blacklisting. I'm trying to do the opposite and allow specific IP address(es) and block everything else (whitelisting) without having to be specific with blacklisting everything and without having to have a separate database to do it. Plus I'm not a DBA by practice (accidental by force) and do not have one available to assist me with using that kind of complex TSQL piece. I'll be very surprised if there isn't a better way to do this.Head an shoulders above making a SQL Server firewall. Put a piece of hardware in that's designed to do the job as this takes the emphasis off of SQL .
I would agree however hardware is not an option - the platform is entirely virtual (VMware vCloud). And the firewalling, routing, and NAT'ing in the vCloud Director UI leaves a LOT to be desired.
December 21, 2011 at 3:35 pm
Chris Metzger (12/21/2011)
Is anyone doing this? I am attempting to restrict access per instance (multiple instances per SQL Server) so that only a specific source IP or hostname can access their assigned instance. Environment is Windows 2008 R2 64bit with SQL Server 2008 R2 64bit - all virtual. Restricting at the physical layer via firewalling and routing is not an option so I have to find another way - probably something that looks at the hostname of the inbound connection request and filters based on that (and either accepts or rejects). I don't know of any way to do this at the SQL level so I'm hoping there is someone out there smarter than me who's already doing this and knows of a way to make it happen. Any assistance is appreciated. Thanks!
It sounds very much like your requirements could be met by using IPSec.
-----------------------------------------------------------------------------------------------------------
"Ya can't make an omelette without breaking just a few eggs" 😉
December 22, 2011 at 1:22 am
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply