SQL Server with Mr. Denny

Jan 7 2010   11:00AM GMT

Not everything needs a public IP address.



Posted by: Denny Cherry
Tags:
SecurityFightClub
Storage

For those of you in bigger shops you can probably ignore this.  If you work in a smaller shop where everything in the datacenter has a public IP, this post is for you.

I find it truly amazing what some people will put a public IP address on, and allow access to over the internet.  Granted these things may actually have a private IP, but instead of setting up some sort of secure VPN between the office and the data center they map a public IP to the private IP and don’t setup any restrictions on what can access the public IP.

Most everyone has seen SQL Servers with public IPs and access to port 1433 wide open.  This is how things like SQL Slammer get into the network and cause all sorts of problems (among other little nasties).

All to often I see people online asking about putting things like ISA on a DC which is great reuse of resources, until you realize that you now have your domain controller connected to the public Internet. And you have probably done this without a router or hardware firewall between the Internet and your DC making this probably not the best idea as getting into LDAP on the DC probably isn’t that hard as Windows Firewall will probably have those ports open so that AD can function.

But I’ve seen even worse things connected to the Internet over the years.  A while back I was looking at a clients SQL Server.  I saw EMC’s PowerPath installed so I asked what sort of SAN was behind the unit.  The response an EMC CLARiiON (CX4).  Since we were having IO issues I asked if I could VPN in (I was using RDP over the Internet up till now directly into the SQL Server) so I could access the CLARiiON.  They said no problem, and proceed to give me the two public IPs for their storage array’s controllers.  So here I am accessing the storage array over the public Internet without any sort of encryption between me and the array (as far as I know the array doesn’t support HTTPS).  If you’ve never seen the EMC Management tool it is a lovely Java app, and Java doesn’t work so well over RDP so I couldn’t access it via the SQL Server which I at least had a somewhat encrypted connection to.

The basic rule with putting stuff on the Internet should be if it doesn’t need to be on the public Internet it shouldn’t be.  More specifically if you don’t want your customers to access it keep it off the net.  Especially if it is core to your business.

Can you imagine what would happen if someone broke into the storage array.  Forget being able to drop tables or databases if they broke into the SQL Server.  They could simply delete the hard drive of the SQL Server, delete the RAID group, rebuild the RAID group, and create a new LUN which would then write 0s to the disks pretty much killing any chance of getting anything back from the disks.  Poof all gone, business closed all because the array could be accessed from the public Internet.

Something to think about.

Denny

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: