I have a request to open TCP port 1433 on our firewall to allow a company to query a table on our SQL server as part of a service they have been contracted to provide. The SQL server is in our server vlan, not the DMZ.
I am told the company will have read-only access to the table, and that a unique username and password has been created for this company.
I am thinking we would open the port if we can lock down access to just this company's public IP address(es). Otherwise, no go.
I don't know anything about SQL server, sql injection, etc. Is the above approach sufficient to protect our SQL server? Am I correct in thinking that opening up TCP port 1433 to the public internet is a bad idea?
What other methods for granting the access needed by this company can I recommend to the project team?
Your intuition is correct in that opening 1433 to the internet from within your internal vlan is incurring risk. Have you considered replicating the database to a system in the DMZ and providing the read-only access to that copy of the database? Take care.