SQL Server Performance Forum – Threads Archive
Using Ipsec with SQL server – some questions
I would like to secure communications between our IIS server on the DMZ and the internal SQL server using IPSEC. The server runs multiple instances so as long as I fix the port the SQL istance I want to use with IPSec the other SQL instances should work ok? I am assuming that ALL communication with the SQL instance will be then be using IPSEC – including internal clients – will I have to configure internal clients with IPSEC as well? Could I not use a second network adapter for the internal clients and put the other adapter (that IIS will talk to) into a vlan so that if the box is compromised then at least they wont be able to see the internal network… ThanksWhat is the operating system? Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
quote:Originally posted by satya
What is the operating system?
Satya SKJ
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
Moderator
http://www.SQL-Server-Performance.Com/forum
This posting is provided “AS IS†with no rights for the sake of knowledge sharing.
W2k or W2k3 – most likely to be W2k3
Hi ya, So you have an IIS server on a DMZ, separated by a firewall from the SQL Server. The firewall has presumably already been configured to only allow the SQL port for each instance through (each instance will have its own port) and to block everything else? if so, then what benefit will IPSec give you for this? You can put IPSec rules on the SQLServer, which would again allow traffic to some ports but not others, just like the firewall would at the moment? Unless you’re talking about encrypting traffic in which case that can be set up by forcing the client or server connect settings to be encrypted a vlan is not a security method. VLANs can easily be crossed, if you have a hacker who managed to compromise the box then a VLAN is easy and well documented on the Net We have a similar set up to you and use:
– IIS on the webfacing DMZ
– SQL on the backfacing DMZ
– only the SQL port is allowed (we use a cluster so all instances have the same port but a different ip)
– IIS and internal machines can both access the SQL box, but it is via the firewall cluster Cheers
Twan
VLAN is a good management tool though, and can be used to effectively manage internal traffic and network rules without the overhead and cost of a firewall. I agree with Twan though. It shouldn’t be used to manage between all segments, nor should it be used as the security method between the SQL Servers and internal/DMZ access for production. MeanOldDBA
[email protected] When life gives you a lemon, fire the DBA.
Hi ya,<br /><br />yes definitely agree VLANs have their place, but security ain’t it <img src=’/community/emoticons/emotion-5.gif’ alt=’;-)’ /><br /><br />Cheers<br />Twan
I’m not sure I 100% agree with the thought that IPSEC isn’t needed if you have firewalls. Maybe my thought is correct but the use of IPSEC isn’t – i.e. a better solution would be to use a software firewall on the IIS server to block all incoming except port 80 and on the SQL server to block all incoming except the port for SQL. My thinking is to take a layered approach rather than thinking that as long as I have a firewall between networks everything will be ok. Surely if the link between my IIS and SQL server is encrypted and only the minimum ports on each box are open then that is an improvement over having an unencrypted pinhole between the two networks and all ports open on the servers….
Hi ya,<br /><br />in my experience I’ve found the management of ipsec rules too much of an overhead for the additional benefit… As well as iis port and the sql port there are lots of other ports which are needed for general communication. Most of these are outbound, but some like DCOM, MSDTC are udp inbound connections on a random port number.<br /><br />encrytion does protect you from someone who’s compromised the DMZ network from listening for traffic<br /><br />yes I agree that it is more secure, in my contracts I’ve tended to find that the management overhead outweighed the benefits.<br /><br />Having said that once Windows 2003 SP1 comes out then I would look to use the firewall, since it is much easier to administer and is a stateful firewall making it more secure too<br /><br />Cheers<br />Twan<br /><br />PS another way to secure the box is to have as few services running on it as possible, after all the most secure port is one where nothing is listening <img src=’/community/emoticons/emotion-5.gif’ alt=’;-)’ /><br />
]]>