Internet access to internal SQL server (not in DMZ)

%3CLINGO-SUB%20id%3D%22lingo-sub-2418600%22%20slang%3D%22en-US%22%3EInternet%20access%20to%20internal%20SQL%20server%20(not%20in%20DMZ)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2418600%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20request%20to%20open%20TCP%20port%201433%20on%20our%20firewall%20to%20allow%20a%20company%20to%20query%20a%20table%20on%20our%20SQL%20server%20as%20part%20of%20a%20service%20they%20have%20been%20contracted%20to%20provide.%26nbsp%3B%20The%20SQL%20server%20is%20in%20our%20server%20vlan%2C%20not%20the%20DMZ.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20told%20the%20company%20will%20have%20read-only%20access%20to%20the%20table%2C%20and%20that%20a%20unique%20username%20and%20password%20has%20been%20created%20for%20this%20company.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20thinking%20we%20would%20open%20the%20port%20if%20we%20can%20lock%20down%20access%20to%20just%20this%20company's%20public%20IP%20address(es).%26nbsp%3B%20Otherwise%2C%20no%20go.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20anything%20about%20SQL%20server%2C%20sql%20injection%2C%20etc.%26nbsp%3B%20Is%20the%20above%20approach%20sufficient%20to%20protect%20our%20SQL%20server%3F%26nbsp%3B%20Am%20I%20correct%20in%20thinking%20that%20opening%20up%20TCP%20port%201433%20to%20the%20public%20internet%20is%20a%20bad%20idea%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20other%20methods%20for%20granting%20the%20access%20needed%20by%20this%20company%20can%20I%20recommend%20to%20the%20project%20team%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

I have a request to open TCP port 1433 on our firewall to allow a company to query a table on our SQL server as part of a service they have been contracted to provide.  The SQL server is in our server vlan, not the DMZ.  

 

I am told the company will have read-only access to the table, and that a unique username and password has been created for this company.

 

I am thinking we would open the port if we can lock down access to just this company's public IP address(es).  Otherwise, no go.

 

I don't know anything about SQL server, sql injection, etc.  Is the above approach sufficient to protect our SQL server?  Am I correct in thinking that opening up TCP port 1433 to the public internet is a bad idea?

 

What other methods for granting the access needed by this company can I recommend to the project team?

 

 

 

 

1 Reply

Hi @garryholmberg --

 

Your intuition is correct in that opening 1433 to the internet from within your internal vlan is incurring risk.  Have you considered replicating the database to a system in the DMZ and providing the read-only access to that copy of the database?  Take care.