Port 1433 is open to internet, how can I secure db?

John Bell wrote:

Hi You should look at changing the port you are using and run the Baseline Security Advisor. You should also look at using an intermediary broker instead of direct connections or re-architecting the solution. John "pigeon" <UseLinkToEmail DeleteThis @dbForumz.com> wrote in message news:4_814647_4ec32f3a49b9f726524b1eb5dcabe63b@dbforumz.com... > Hello, in our application, we have to have our DB accessable over the > internet :/ and no VPN for each of the thousands of users isn't > possible... > > My question are: > > -How can I secure this? > -What would be a good IDS system that would autoblock IPs that are > trying to bruteforce login (Since we are using SSL to encrypt our > traffic, this throws a rinch in all IDS systems I know) > -I have found some .sql scripts that help secure my db.. Since I will > be working with a lot of DB servers.. what are some more .sql scripts > that would help me secure my DBs? > > > thanks for any help! > Lee > > -- > Posted using the http://www.dbforumz.com interface, at author's request > Articles individually checked for conformance to usenet standards > Topic URL: > http://www.dbforumz.com/Security-Port-1433-open-internet-secure-db-ftopict234899.html (http://www.dbforumz.com/Security-Port-1433-open-internet-secure-db-fto...t234899) > Visit Topic URL to contact author (reg. req'd). Report abuse: > http://www.dbforumz.com/eform.php?p=814647</font>

Great suggestions!

I will definitly change port numbers.. and MBSA is installing now.

I am confused on this though:

"You should also look at using an intermediary broker
instead of direct connections or re-architecting the solution. "

what do you mean by this?

I have never heard of this before


thanks!
Lee
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

Hi

Introducing some form of middle tier so you are not exposing the
database directly to the outside world, would make your application
significantly more secure and you will be able to control and monitor
it alot better.

John

pigeon wrote:
 > "John Bell" wrote:
  > >Hi
  > >
  > >You should look at changing the port you are using and run the
  > >Baseline
  > >Security Advisor. You should also look at using an intermediary
 > broker
  > >
  > >instead of direct connections or re-architecting the solution.
  > >
  > >John
  > >
  > >


   > >> Hello, in our application, we have to have our DB accessable over
  > >the
   > >> internet :/ and no VPN for each of the thousands of users
  > >isn't
   > >> possible...
   > >>
   > >> My question are:
   > >>
   > >> -How can I secure this?
   > >> -What would be a good IDS system that would autoblock IPs that
  > >are
   > >> trying to bruteforce login (Since we are using SSL to encrypt our
   > >> traffic, this throws a rinch in all IDS systems I know)
   > >> -I have found some .sql scripts that help secure my db.. Since I
  > >will
   > >> be working with a lot of DB servers.. what are some more .sql
  > >scripts
   > >> that would help me secure my DBs?
   > >>
   > >>
   > >> thanks for any help!
   > >> Lee
   > >>
   > >> --
   > >> Posted using the <a style='text-decoration: none;' href="http://www.dbforumz.com" target="_blank">http://www.dbforumz.com</a> interface, at
  > >author's request
   > >> Articles individually checked for conformance to usenet standards
   > >> Topic URL:
   > >>
  > >http://www.dbforumz.com/Security-Port-1433-open-internet-secure-db-ftopict234899.html
   > >> Visit Topic URL to contact author (reg. req'd). Report
  > >abuse:
   > >> <a style='text-decoration: none;' href="http://www.dbforumz.com/eform.php?p=814647</font></font" target="_blank">http://www.dbforumz.com/eform.php?p=814647</font</a>>
 >
 > Great suggestions!
 >
 > I will definitly change port numbers.. and MBSA is installing now.
 >
 > I am confused on this though:
 >
 > "You should also look at using an intermediary broker
 > instead of direct connections or re-architecting the solution. "
 >
 > what do you mean by this?
 >
 > I have never heard of this before
 >
 >
 > thanks!
 > Lee
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

Pardon me for jumping in...

I administer a few networks, all with Sql Server exposed to the outside
world on port 1433. I have never had any problems. If strong passwords are
in place, isn't sql server secure?
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

Good question...

Also, wouldn't changing the port to something else.. add another layer of security?

Because my logs are always full of people trying to login to SA/power... and with worms targetting 1433.. I am a little scared of opening my db up to the outside..
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

"pigeon" wrote:

> -What would be a good IDS system that would autoblock IPs that are
> trying to bruteforce login (Since we are using SSL to encrypt our
> traffic, this throws a rinch in all IDS systems I know)

Snort can run in IPS mode (Snort Inline) and is open source. There are also
commercial solutions like Cisco's which will be able to autoblock based on
rules you set up for # of alerts, etc.
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

Brian Kelley wrote:

"pigeon" wrote: > -What would be a good IDS system that would autoblock IPs that are > trying to bruteforce login (Since we are using SSL to encrypt our > traffic, this throws a rinch in all IDS systems I know) Snort can run in IPS mode (Snort Inline) and is open source. There are also commercial solutions like Cisco's which will be able to autoblock based on rules you set up for # of alerts, etc.

Thanks for the suggestion.

I think I will setup this for my linux servers.

but for my win2k3 db servers:

My issues are:
1)All traffic will be encrypted.. Is there a way to still sniff this (If I give the IDS program my certificate)

2)I need to do realtime autoblocking in windows.
 >> Stay informed about: Port 1433 is open to internet, how can I secure db? 

Hi

Security is not only what is in-built into the product, your whole
organisation needs to be taken into account when considering how secure your
systems are. Although IDS systems and strong passwords may stop or hold off
recognised brute force attacks, they will not guard against social
engineering, mis-configuration or unknown security issues. This is not only
applies to SQL Server, but the OS and other software that is running on your
exposed server.

In this country your can by a wall safe that looks like and electical
socket. That does not stop a burgular kicking in all the electrical sockets
in the house. But if you put that safe on your outside wall, how long before
it was kicked in?

John



"Hoof Hearted" wrote in message

> Pardon me for jumping in...
>
> I administer a few networks, all with Sql Server exposed to the outside
> world on port 1433. I have never had any problems. If strong passwords
> are
> in place, isn't sql server secure?
>
 >> Stay informed about: Port 1433 is open to internet, how can I secure db?