Running SQL on Real IP

[FanacooL]

Hi gals / guys
We have created an application which will be running across all our 17 branches (cities) and this application will be accessing our SQL database. We will be running that DB server on real IP so that the clients can access it...... Now this Server will be behind a Firewall. Now we have two solutions for this whole network architecture.....

=> We will be using DSL line for accessing this Server and the link b/w the server and the ISP would be 1Mbps. But this scnerio is a classic one one to me it looks unsecure although we willl be using a hardware based firewall in b/w server and DSL router.....

=> Another alternative is that we go for VPN...... Now i am attaching a diagram of VPN solution I have develop for this scenrio......

I wana comments from you folks about both the architecture and any other suggestion you can give me...... Keeping in mind that the VPN cost is around 110% more than the classic DSL link..... And cost is also playing on our mind.....

[nihil]

Hi FanacooL I will ask rather than "assume"

Are the clients "fixed" and internal (I know they are at different sites), or are they external (and mobile)?

If they are fixed then I would have thought that only allowing connections from approved IP addresses would work. I would have them logon to the server and then to the database as well.

I like VPN, but it is more for "roaming" type connections, and, as you rightly observe, it is relatively costly

I am not sure about your DSL, mine here will only work down this telephone line, for example.

My comments are based purely on the way I have seen things done in my experience.

[FanacooL]

17 cities each having more than one users in there office so clients means small networks.....You said that Approved IP connections should be allowed, than this means we should have static IP's on each client .... this will add extra cost.....

Why this static IP thing? What will be the consequences of not having static IP?

VPN would have been a good option if the cost isn't that high as it would be more easier for us at Head office to manage the network all over the country.

logon to the server and then connect to the database
What you mean by this? can you elaborate it a little bit.

[nihil]

Hi FanacooL please remember that I am speaking from experience of implementation and use. The actual set up I always delegated to network/infrastructure people.

1. It seems that you have fixed locations, in that they are your 17 offices.
2. I appreciate that you will have multiple users at your offices, but I would expect them to come through a router, which would appear to be a single "client" to your ISP? The router would then allocate local addresses.
3. I am not really sure about the "fixed" as opposed to "dynamic" IP addresses that your ISP would allocate. If they are dynamic, you would have to talk to your ISP about which address blocks you would need to allow.
4. Your firewall should take care of port scanning.
5. As for static v. dynamic..................if you are static you can be consistently found and probed. If you are dynamic, an attacker has to find you each time?
6. If you enforce login to the applications server, then login to the application you should be reasonably well covered.
7. You may wish to look at an IDS on the server?

At the end of the day you need to do some sort of risk/vulnerability assessment to determine what is the most cost effective solution .

[FanacooL]

Well actually there are two kind of users accessing the server one of them are our own offices staff as I already mentioned they are in different cities and the other type of users are our clients who can be on dial-up or any other medium available to them.....

Well our server can't be one a dyanmic IP as the application running on clients will be accessing the specific IP address. So one thing can't be changed that is Server will have static IP......

[FanacooL]

i was working on the same scnerio and was looking for some hardware based firewall and came across this one..... Looks a very cheap firewall but the features are quite comparable with other solutions..... Now i am just curious to know why with such features the price is so cheap....

http://www.xnet.com.pk/prod/firewall-sn330.shtml

Looks better than Netscreen 25....

[nihil]

Hi,

So one thing can't be changed that is Server will have static IP......

Yes, that is true, I was thinking more of the internal "client" sites (17) and validating them.

Now you tell me that third parties will be connecting, it becomes a whole new scenario.

Are these third parties corporates, or is the general public included?

What is the business process for obtaining permission to access this application/database?

At this point it is sounding more like a secure website type of deployment? Like in online shopping or banking?

I have no idea of your security model and your risk assessment, but I would certainly want that server outside of my internal network

[FanacooL]

These third parties can be local people and our corporate clients..... they will be giving with software .exe and through which they will be logged into the database after veryfing there credentials they would be able to access the database...... Thats for the database..... Other people like local would be sending request for the status of there service....Stuff like that

There is flaw in this development of the application from software team they should have developed it as a web-based tool..... rather than a desktop application but somehow they have managed to go through it and now its upto us network side ppl to manage it.

[nihil]

There is flaw in this development of the application from software team they should have developed it as a web-based tool..... rather than a desktop application

Well it did take me three posts to realise that

OK, so what can we do about it?

1. This system must be totally separate from your internal production environment and networks. That will at least simplify some of the security issues.

2. I assume that you will need to pass information from your internal applications and databases to this system, and possibly back from it? If this is correct, then you need to do so by means of carefully designed and controlled interfaces. I think that we can discuss those a bit later on when we have the overall architecture agreed.

3. That now leaves us with a situation similar to an ISP like AOL, Tiscali or whoever, insofar as we load a desktop application (the browser) onto the remote PC, that takes the user into a server. I know that is a poor example, but I am trying to make a desktop client to server architecture look and work like a web based one

Does that sound feasible to you?

[FanacooL]

The server will not be the part of the internal network thats ok, and has been already agreed upon.

As this application will be directly accessing the database server and yes there will be data coming in and out from the server and similarly at the user end too.

But still i am a little worried about the threat to that server as it will be open for everyone and will not be a on private network.... I will be using a firewall in front of it and are there any other things i can implement to make sure thats its more safe and scure.