Firewall Wizards mailing list archives

Re: Best practice suggestions for SQL and mapped drive through firewa lls

From: m p <sumirati () yahoo de>
Date: Mon, 4 Mar 2002 16:51:39 +0100 (CET)

Hi Stig,

 --- "Ravdal, Stig" <stig.ravdal () digitalpaper com> schrieb:

The proposed solution is to map a drive through the firewall and from
what I
can understand it would suffice to open up TCP 139 on the firewall to do
this (using NetBIOS over TCP/IP and ignoring UDP 137/138).  Yeah it's not
the most secure and I would appreciate any and all comments as to why one
might NOT want to do this.


first: I do not know, if there kann be a connect when the Ports 137/138 are
closed. 
The problem with NetBIOS is that the information transported are not only "file
shares" but a whole access to that machine via NetBIOS - you can use nbtstat
and similar tools to get more information/do more things than wanted. 
Through your email you made not clear if the users (your customer) have to map
the network share or your database.
If it is the database thing about redesigning the whole thing in a more secure
and logical way. A application which needs a database should not need normal
access to that machine.

Connection to the Database would be using ODBC over TCP port 1433.  I'm
not
sure if we can make the client ports static but I think so thus the
firewall
would be able to allow incoming connections from "web-server" port
<static>
to "database" port 1433 (or we might even suggest using a less well known
port).  I'm not sure what the outbound session may look like but if the
firewall is stateful (and maybe with inspection) that may be less of a
concern.


A static source port will make it not more secure (as far as i "feel").
Perhaps you can alter the destination port - that brings you "security through
obscurity". But people are arguing if that is any security itself. In this case
it is worth a shot to set the port to 1521 to "emulate" an Oracle DB ;)
But if the "hacker" in the scenario get that information be more concerned
about a secured database (machine). Here it is essential to strip off the
rights of the database user(s) as much as possible - and keep track for the MS
SQL Server security record.


__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Ihre E-Mail noch individueller? - http://domains.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Best practice suggestions for SQL and mapped drive through firewa lls Ravdal, Stig (Mar 01)
- Re: Best practice suggestions for SQL and mapped drive through firewa lls m p (Mar 05)
- Re: Best practice suggestions for SQL and mapped drive through firewalls Mikael Olsson (Mar 05)