| Author |
Topic |
|
Mondeo
Constraint Violating Yak Guru
287 Posts |
 Posted - 2007-10-02 : 05:41:12
|
| Hi,Wondered if you peeps could offer me some advice on this. The company i'm working for has recently invested in a massive bespoke CRM system. The software company thats worked on it has today specified the servers for the new system, just want to check what they're telling us.Two servers, one front end running IIS and .NET, one backend running MySQL.They said its essential that a hardware firewall is placed in between the servers and the back end machine is not directly assessable from the internet. They've told the directors all the usual scare tactics that the customer data is at risk if we dont have this - personally I think they're just pushing they're own hosting solution.So, question is - is MySQL that insecure that it needs to be firewalled off?Our hosting company is looking at about £2000 for the firewall and configuration. Is that nessessary?I suggested IPSec on the servers as an alternative, they rubbished that saying its not secure enough.Any advice appreciatedThanks |
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-02 : 07:58:22
|
| "So, question is - is MySQL that insecure that it needs to be firewalled off?"Can't speak for MySQL, but for SQL Server I think that's a very sensible suggestion.Especially if the Database Server is sitting on a LAN that is "open" to the Internet.A port scanner attack is likely to attempt THOUSANDS of logins PER SECOND, which will cripple a server, and that's assuming that they don't manage to get in!Kristen |
 |
|
|
Mondeo
Constraint Violating Yak Guru
287 Posts |
Posted - 2007-10-02 : 08:18:52
|
| Fair comment, but wouldn't a local security policy - i.e IPSec be just as effective without going to the expense of a hardware firewall?Thanks |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-02 : 08:26:34
|
| Don't know the answer to that, but our internet-facing-servers all have a [read=Expensive!] firewall in the way, and I'm pretty sure that our IT lot would not have got the budget for it if it wasn't demonstrably necessary.But the servers I'm referring to are sitting at an ISP, so very much "on the internet".For the office LAn we have a firewall between the LAN and the outside-world (so we do NOT have a firewall JUST to protect the Database Servers WITHIN the LAN)Kristen |
|
|
|
Mondeo
Constraint Violating Yak Guru
287 Posts |
Posted - 2007-10-02 : 08:39:01
|
| Cheers,One question for you, you say your internet facing SQL servers are behind firewalls - are you able to access them directly for example using enterprise manager (or whatever you use). If the port is closed publicly how do you administer them?Thanks |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-02 : 08:40:54
|
| "are you able to access them directly for example using enterprise manager (or whatever you use"My [fixed] IP address is "allowed through" by the firewallKristen |
|
|
|
Mondeo
Constraint Violating Yak Guru
287 Posts |
Posted - 2007-10-02 : 08:57:59
|
| Gotcha,So your firewall allows access from specific IP's - namely your IIS servers (or whatever you use), and certain client IP's like yours for admin.Thanks |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-02 : 09:46:21
|
| Yup, that's the Top & Bottom of it. |
|
|
|
Mondeo
Constraint Violating Yak Guru
287 Posts |
Posted - 2007-10-02 : 10:05:21
|
| I can do all this using local group policy - question remains whether its as good as a dedicated hardware firewall. I'm struggling to find out. |
|
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2007-10-02 : 10:20:32
|
All this is for external unauthorized access?What about internal unauthorized access?80% of all database intrusions are internal...
E 12°55'05.25"N 56°04'39.16" |
|
|
|
Kristen
Test
22859 Posts |
Posted - 2007-10-02 : 10:34:00
|
| Yeah, I arrive at your office, ask if I can plug my laptop in, the Code Red virus on my laptop infects your SQL Server, and <Bang!>etc.etc.etc. |
|
|
|
|
Security Concerns