accessing mssql port
Results 1 to 5 of 5

Thread: accessing mssql port

  1. #1
    Member
    Join Date
    Jun 2004
    Posts
    77

    accessing mssql port

    hi
    i need to let a user have direct access to port 1433 to one machine in internet running MSSQL.
    Should i put this user in DMZ or internal network? The issue if put in DMZ is that this user may try to access other DMZ machines. What are your expert opnions? thanks. by the way, this user only need to access port 1433 using a custom software and has no business using other facilities..like internet surfing etc.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    You'll have to provide a bit more information on you current network structure...

    1) Where is the user currently located? Internal, External, DMZ?
    2) Is the user an employee or an outside contractor?
    3) Where is the MS SQL Server... it's an internet facing machine... so someone elses machine? or your machine in your DMZ?

    My assumption would be that you have a single user on your intranet (cut off from the internet) who needs to access a single machine (across the internet) and hit port 1433...

    If that's the case how about a proxy? Setup a machine that you control somewhere that has access to both the intranet and internet and forward port 1433... This will allow them access but prevent them from using anything else... It will also prevent inbound connections to their machine (something that putting them in the DMZ may not prevent)...

    A little more on the current config would help though.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Member
    Join Date
    Jun 2004
    Posts
    77
    thanks for your interest. To provide more info
    1) he is an employee..so he is inside the company
    2) Network structure..Typical...internal LAN , and a DMZ. DMZ running web servers etc for the public
    Infront of DMZ is firewall facing internet. Infront of our INternal LAN also another firewall. Users
    are not allowed access DMZ machines. Only designated servers that need to transfer files to
    DMZ servers are allowed.
    3) User only need to access port 1433 of an Internet Machine....querying a database on the
    outside (internet)

    So if i get you correct, by putting a proxy, maybe an ISA proxy in my internal LAN, and then configure it to forward 1433 traffic between the user and that internet machine, it will be the proper INTERNAL setup? So putting in DMZ is not a good idea right? I am also intending to configure personal firewall on the user's PC.
    By the way, if you know any sites that shows me how to configure ISA server to proxy 1433 traffic, please advice me the links...thanks very much..

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    That's the proper setup in my opinion.... Mind you I spent very little time in the world of sys admining and now work on security... but it's the simplest thing to go with.... or so I'd say...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Just curious why your users aren't allowed to access the machines in the DMZ? By nature a DMZ is a demilitarized zone, and it generally allows more access rather than less.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •