Firewall Wizards mailing list archives
RE: Best practice suggestions for SQL and mapped drive t hrough firewall
From: "Ravdal, Stig" <stig.ravdal () digitalpaper com>
Date: Fri, 1 Mar 2002 10:53:51 -0500
Hi Arkan and thanks for your reponses. I did get soem useful info from that freetds site you provided. As far as the mapping using NetBIOS is concerned I am open to any other way to accomplish the desired result. Again, the idea is that the web-server can access data as if it was locally attached even though the data resides on a different server securely behind the firewall - thus the mapping of a shared directory. Because it's a windows-to-windows setup the natural choice is NetBIOS over TCP/IP - but again I am open to any solutions that are better, more commonly accepted and more secure. Thanks, Stig
-----Original Message----- From: ark () eltex ru [mailto:ark () eltex ru] Sent: Friday, March 01, 2002 10:16 AM To: stig.ravdal () digitalpaper com Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Best practice suggestions for SQL and mapped drive through firewa l -----BEGIN PGP SIGNED MESSAGE----- nuqneH, "Ravdal, Stig" <stig.ravdal () digitalpaper com> said :Hi, I hope that some of you will offer your opinions andexperiences on thisquestion. My company is offering an e-commerce solution that uses anMS web server andMS 2000 SQL database. In order to keep the data safe ithas been decidedthat the data and database needs to reside inside a firewall: The web-server will be in the DMZ/service network and data andthe database aresecured behind the firewall. Both servers will be Windows2000 servers.The big question is how do we best implement this solutionso that it worksyet is acceptably safe. We do not know what the firewall the customer may use so ifat all possiblea "universal" and "best practice" solution is what we arelooking for.The proposed solution is to map a drive through thefirewall and from what Ican understand it would suffice to open up TCP 139 on thefirewall to dothis (using NetBIOS over TCP/IP and ignoring UDP 137/138).Yeah it's notthe most secure and I would appreciate any and all commentsas to why onemight NOT want to do this.Just do not (general rule that applies to netbios shares). Why do you want to do that?Connection to the Database would be using ODBC over TCPport 1433. I'm notsure if we can make the client ports static but I think sothus the firewallwould be able to allow incoming connections from"web-server" port <static>to "database" port 1433 (or we might even suggest using aless well knownport). I'm not sure what the outbound session may looklike but if thefirewall is stateful (and maybe with inspection) that maybe less of aconcern.MS SQL runs TDS on 1433. it is, basically, a generic packet exchange over tcp. see www.freetds.org if you want to know what happens inside. It is (quite) firewall-friendly, though sometimes it expects weird things to be like aligning ip and tds packet boundaries. It does not affect functionality but that may affect performance. There are several proxies for tds.I have also suggested that we look into other waysincluding Secure FTP orFTP through SSH, but this may or may not be that easy to accomplish depending on the customer IT security team and what theyare both willingand comfortable doing.You may run tds over ssl, ssh, ipsec and whatever else you want that does tcp tunneling. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPH+bGKH/mIJW9LeBAQHZHgQAiH0tHYJImw/JktvlpBjvPGJLu9htPUBt 889FL3ZeJsWh/hwiLFj9E1SsssSFOlEQostcUPu2cVDELj4GLy6+3TPHNmETnL51 ZbMrBhHxkBm6WVKeHPX8nOI4SHTLqEYVuQ+nsfW614As2kI03Ghs+zauwy9APqlH yirJ1wte3aU= =OxnR -----END PGP SIGNATURE-----
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Best practice suggestions for SQL and mapped drive t hrough firewall Ravdal, Stig (Mar 01)
- Re: Best practice suggestions for SQL and mapped drive t hrough firewall George Capehart (Mar 02)