Forum Discussion

garryholmberg's avatar
garryholmberg
Copper Contributor
Jun 05, 2021

Internet access to internal SQL server (not in DMZ)

I have a request to open TCP port 1433 on our firewall to allow a company to query a table on our SQL server as part of a service they have been contracted to provide.  The SQL server is in our server vlan, not the DMZ.  

 

I am told the company will have read-only access to the table, and that a unique username and password has been created for this company.

 

I am thinking we would open the port if we can lock down access to just this company's public IP address(es).  Otherwise, no go.

 

I don't know anything about SQL server, sql injection, etc.  Is the above approach sufficient to protect our SQL server?  Am I correct in thinking that opening up TCP port 1433 to the public internet is a bad idea?

 

What other methods for granting the access needed by this company can I recommend to the project team?

 

 

 

 

  • Hi garryholmberg --

     

    Your intuition is correct in that opening 1433 to the internet from within your internal vlan is incurring risk.  Have you considered replicating the database to a system in the DMZ and providing the read-only access to that copy of the database?  Take care.

Resources