Internet access to internal SQL server (not in DMZ)

Copper Contributor

I have a request to open TCP port 1433 on our firewall to allow a company to query a table on our SQL server as part of a service they have been contracted to provide.  The SQL server is in our server vlan, not the DMZ.  


I am told the company will have read-only access to the table, and that a unique username and password has been created for this company.


I am thinking we would open the port if we can lock down access to just this company's public IP address(es).  Otherwise, no go.


I don't know anything about SQL server, sql injection, etc.  Is the above approach sufficient to protect our SQL server?  Am I correct in thinking that opening up TCP port 1433 to the public internet is a bad idea?


What other methods for granting the access needed by this company can I recommend to the project team?





1 Reply

Hi @garryholmberg --


Your intuition is correct in that opening 1433 to the internet from within your internal vlan is incurring risk.  Have you considered replicating the database to a system in the DMZ and providing the read-only access to that copy of the database?  Take care.