Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Development (2000)
 Best Practice in a web environment

Author  Topic 

AskSQLTeam
Ask SQLTeam Question

0 Posts
Posted - 2002-07-25 : 09:44:12
Jack writes "We will implement SQL 2000 to be access from the web. We will use one server for SQL and one server for IIS. What is the recommended security design for this scenario in regards to accessing the data? Specifically, is it best to create two instances (or just two databases) on the same box and allow web access to one and use replication between both? Or are there no security benefits to this and should we use only one database that is accessed/updated both internally and from the web?
I realize that if the box is hacked that it does not matter if the databases are separated, but I would think that if a web front-end is hacked, that would limit damage to just the web accessed database, not the internal one (until replication kicks in).
I appreciate any suggestions/comments.

Thanks!"

Merkin
Funky Drop Bear Fearing SQL Dude!

4970 Posts
Posted - 2002-07-25 : 10:06:20
Hi Jack

When you say "SQL 2000 to be access from the web" do you mean the actual database server needs to be remote accessed ? Or that your web server needs to access it ?

If it is the latter, your best bet is to set up a firewall. The firewall is internet facing, then put the web server in one zone (generally known as a DMZ) and your database server in the "green" network. The 2 boxes actually come off different network cards.

Then you create a tunneled port from the web server to the DB server so your web app can see the database.

The end result of this, is if you log in to your green network, either by having it on your network or by VPNing in, you can have full access to your web and DB server. But, anyone that is coming from the internet side has no access to your database box.

If your web server is completely compromised, then the only access to your database server is on the one port you have tunnelled, a good security policy on your database will reduce risk here. It's not perfect, but it is pretty much the safest option.

Hope that helps a bit, if you want me to clear anything up, let me know.

Damian
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site