We are building a client solution that will be hosted on servers in a data-centre. It consists of several servers all related to providing the client solution. There is no internal network to protect but for some reason our UAT environment has the notion of a DMZ in the server diagram.
We have an IIS box which will have a public IP. Then we have two servers DB(Sql Server) and APP that are only on the internal lan with no public IPs. You can only RDP to these servers via VPN. Our IIS server needs sql access so port 1433 is open from IIS box(DMZ) to the sql server. We are also opening several ports from the IIS server to the APP server which hosts WCF services.
My understanding was that a DMZ was meant to protect internal private networks and that these networks should not be accessible from the DMZ but we are now opening up ports to both our APP and DB servers so they are accessible from the DMZ. In the end most of our servers are accessible from the IIS server via certain ports.
We originally wanted to setup our SQL server for AD authentication only but since our IIS server is in the DMZ and has no AD access we will be forced to enable mixed mode authentication in SQL server. This might be another security issue in it's own since we are now forced to store passwords somewhere on the IIS server to be able to auth against sql server.
Are we not perhaps missing the idea of a DMZ?
So with a system where you have a DMZ, there is also a firewall involved.
So your system should look like this I think:
SQL-server hosting internal data
Other servers needed for the company
---- firewall ----
SQL-server hosting data for web solution
AD-server (if needed)
Web-server
FTP-server (could be on the web server also)
With this setup you don't expose company-sensitive database to the outside world and you also don't open up a port in the firewall making it possible for attackers to (maybe) get access to the internal database which has company sensitive data...
Just my suggestion based on the information provided.
Related
How do I make connection to an AWS hosted database, and pull or query data into a local or Azure hosted SQL server DB? Can I be directed to the right place or resource?
Thanks.
There's nothing special about the fact that they're in AWS or Azure VMs. For this to work, you need TCP/IP connectivity from your client to the server, and you need port 1433 to not be blocked along the way.
The VM in AWS or Azure needs to have an externally visible IP address, or you need to be connecting via a VPN to the internal network of the cloud-hosted system. The operating system on that VM that's hosting SQL Server needs to have a firewall rule that allows port 1433 inbound.
Once you can do that, you can then just set up a Linked Server on your end, that refers to the SQL Server at the other end. That will allow you to query the tables on the server via 4 part names i.e. linkedservername.databasename.schemaname.tablename.
If you have SQL Server with the same collation at both ends, also ensure you set "collation compatible" on the linked server configuration. (It can make a huge performance difference)
Our infrastructure team has worked to configure a site-to-site Azure VPN connection between our Azure subscription and our on-prem firewall, essentially following these steps. To test this, we've created a simple Azure web app that makes a query against a SQL Server that is located on-prem behind the firewall.
This web app works locally with no issues. Furthermore, the same code and connection string, when compiled as a console application and run on an Azure virtual machine, works correctly as well. But when deployed to the web app in Azure, the connection to the SQL Server fails:
[Win32Exception (0x80004005): The wait operation timed out]
[SqlException (0x80131904): A network-related or instance-specific
error occurred while establishing a connection to SQL Server. The
server was not found or was not accessible. Verify that the instance
name is correct and that SQL Server is configured to allow remote
connections. (provider: TCP Provider, error: 0 - The wait operation
timed out.)]
Both the Azure VM and web app are configured to point to the Azure VNet. It seems like something is preventing the web app from communicating with the SQL Server on its default port (1433). If I open up the web app's debug console and do a tcpping at the SQL Server with the default port (80), it returns successfully. But a tcpping to port 1433 times out.
It doesn't appear that the Azure Network Security Group is blocking that port:
The only solutions I've found that are relevant to our specific setup basically boil down to "use Azure Hybrid Connections instead", which would not be our first choice.
After working with Microsoft's support, the following changes were made and the VNet integration is working now. I apologize for the lack of detail on some of these, but our infrastructure team did most of the troubleshooting. Hopefully, some of these items will help point someone else the direction of a solution for their setup:
Initially, the connection was being made through public internet and not the VNET Integration and VPN. We identified that the VNET integration was failing due to the tunnel type being used. Azure App Service has a requirement that the tunnel type is SSTP. Once we changed it and synced the network, we were able to tcpping the SQL Server through its private IP.
We noticed it had to allow on the on-premises Network the point-to-site address pool. As a workaround, we decided to use the New VNET Integration (Preview). We created an empty subnet and were able to use this new feature.
We noticed then the App Service was not using the custom DNS. To resolve this, we added the DNS on the Virtual Network and also in the App Settings ("WEBSITE_DNS_SERVER") for the web app.
When you're creating an SQL server on Azure, there is the option to
"ALLOW WINDOWS AZURE SERVICES TO ACCESS THE SERVER."
Does this mean that some other application (other than my own applications) hosted on Azure, like a website, can access my sql server?
There is username password, of course, but I'm afraid they can be brute forced.
Is this a legitimate concern?
Yes, "Allow access to Azure services" is a shortcut that allows any Azure-hosted service through the firewall (though the other service still needs to know the server name and a SQL Authentication username/password, as you mention). This shortcut is for convenience, since your app's IP address can change if the VMs in your cloud service fail over or shut down.
To avoid using this shortcut, you could create a reserved virtual IP address (VIP) for your cloud service. This allows your app to have a persistent public IP address, which you can specifically and selectively allow through the server firewall for your SQL Database.
I want to access SQL server via an application (it is a desktop application) which is installed on remote location, where as SQL server installed in Main Office, where other applications are also accessing same SQL server on LAN.
Is it possible to do it?
Yes, technically this is not problem. Once installed, SQL Server will react both on the internal IP and external - if the Firewall is configured to forward SQL-Server Traffic (TCP 1433).
BUT - from security point it's not a good idea to expose your SQL Server directly to the internet. In the past there have been several security problems that would have exposed more than you wanted to expose. I would suggest external users, not inside your LAN use a VPN Connection to get inside your internal Network. I work every day over VPN with SQL Server and it's stable and secure.
I am setting up a system that runs on Azure but needs to access an on-premises SQL Server. I've built it out as detailed in this article. This calls for me opening port 1433 to the world which looks like a serious security problem. Is there any way to open that port and still have it secure (I know that I can have complex user ids and passwords and everything, but is there a better way to secure SQL Server)
The connection between your on-premises DB and Windows Azure Connect will be secure by default via the IPSEC protocol
"Windows Azure Connect uses industry-standard end-to-end IPSEC
protocol to establish secure connections between on-premise machines
and roles in the cloud. Unlike a traditional Virtual Private Network
(VPN), which establishes secure connectivity at gateway level, Windows
Azure Connect offers more granular control by establishing secure
connections at a machine and role level."
http://blogs.msdn.com/b/usisvde/archive/2012/03/14/windows-azure-security-best-practices-part-6-how-azure-services-extends-your-app-security.aspx
Your DB won't be publicly available, only VM's on the Azure Connect will be able to see it.
Your traditional firewall and on-premises security policies and procedures will still hide your DB in your Enterprise Environment, all you are doing is giving Windows Azure VM (Roles) the ability to see it.
I saw the comment discussion on #user728584's answer about opening port 1433. Port 1433 has nothing to do with Azure Connect, which is essentially a VPN tunnel between on-prem boxes and a collection of Windows Azure role instances. Azure Connect requires an agent to be installed on any on-prem server you're adding to the Connect Group and doesn't require an inbound port to be opened. In your case, you'd add the agent to your SQL Server box, which would then be part of the connect group and accessible directly from your Windows Azure Role instances (for the roles you add to the group). The Connect Agent then establishes the tunnel.
The Connect Agent has a special key baked in, generated for you, making it unique. But even if someone somehow obtained the installer for your specific Connect Agent, it wouldn't help at all, as you still need to add that node to the Connect Group. So, this is a secure setup.