Best practice suggestions for SQL and mapped drive through firewa lls

["Ravdal, Stig" <stig.ravdal () digitalpaper com>]

Hi, I hope that some of you will offer your opinions and experiences on this
question.

My company is offering an e-commerce solution that uses an MS web server and
MS 2000 SQL database.  In order to keep the data safe it has been decided
that the data and database needs to reside inside a firewall:  The
web-server will be in the DMZ/service network and data and the database are
secured behind the firewall.  Both servers will be Windows 2000 servers.

The big question is how do we best implement this solution so that it works
yet is acceptably safe.
We do not know what the firewall the customer may use so if at all possible
a "universal" and "best practice" solution is what we are looking for.

The proposed solution is to map a drive through the firewall and from what I
can understand it would suffice to open up TCP 139 on the firewall to do
this (using NetBIOS over TCP/IP and ignoring UDP 137/138).  Yeah it's not
the most secure and I would appreciate any and all comments as to why one
might NOT want to do this.

Connection to the Database would be using ODBC over TCP port 1433.  I'm not
sure if we can make the client ports static but I think so thus the firewall
would be able to allow incoming connections from "web-server" port <static>
to "database" port 1433 (or we might even suggest using a less well known
port).  I'm not sure what the outbound session may look like but if the
firewall is stateful (and maybe with inspection) that may be less of a
concern.

I have also suggested that we look into other ways including Secure FTP or
FTP through SSH, but this may or may not be that easy to accomplish
depending on the customer IT security team and what they are both willing
and comfortable doing.

Thanks for your comments,

Stig
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards