How secure is your SQL Server network design?

Firewall or not, database security weaknesses at the network layer are introduced for one simple reason: convenience. IT administrators have been in a constant battle between security and convenience, long before security was cool. Be it a less-visible internal system or an Internet-facing e-commerce application, the time and effort required to implement the solution ASAP often beat out any attempt to deploy things securely. It's the path of least resistance. It's "time to market." It's whatever it takes to get it done and then move on to put out the next fire. Sure, you reach a solution more quickly, but it's not good for business. We've all been guilty of such practices.

The convenience element is what leads to putting SQL Server systems on the network where they shouldn't be. Oftentimes, the servers are directly accessible from the Internet. I've recently seen this very thing: a SQL Server system directly accessible from the Internet – all because business partners needed easy access to the data. A better plan, such as a VPN, introduced too much of an, ahem, inconvenience. Suffice it to say the outcome was not good.

David Litchfield's Database Exposure Survey 2007 confirms that SQL Servers are exposed everywhere. According to Litchfield's research, there are around 368,000 SQL Servers directly accessible from the Internet -- the majority of which are not up to date on patches. What are people thinking? Apparently, the Slammer worm attack on easily-accessed SQL Server systems years back wasn't a strong enough warning.

The Internet issue is obvious, but don't forget about the internal network. I hear about and see a lot of people "VLANing" everything,

More on SQL Sever database security: SQL Server patch pros and cons Reorganize permissions in SQL Server 2005 step by step Logging for security compliance in SQL Server

yet, it's often very simple to track down and connect to SQL Server systems from anywhere inside the building. They're just sitting there – along with all the other servers and workstations – waiting to be poked, prodded and attacked by curious or rogue insiders. With all of the fancy security features built into the network switches, routers and firewalls on most networks, they're still not being used at even their most basic levels. Even old-fashioned packet filtering can do wonders to protect a SQL Server system – if it's used.

It doesn't really matter if it's a critical enterprise application or a benign installation of SQL Server 2005 Express, every database counts. One compromised SQL Server system leads to attacks on others. Check all of your databases to see just how accessible they are. Look at them from every angle: in front of the firewall, behind the firewall and beside the firewall. It pays to use good tools too. SQLPing is a great start for finding live SQL Server systems. Once you track them down, move on to more advanced vulnerability scanners such as GFI LANguard Network Security Scanner and QualysGuard and, finally, database-specific scanners such as AppDetectivePro and NGSSQuirrel to find out how they can be exploited.

Once you take a step back and look at the big picture, it'll be obvious just how important your network infrastructure is when it comes to protecting your databases. Find the flaws and plug the holes using network-layer controls whenever you can. You'll ward off internal and external attacks and be one step closer to reasonable and practical SQL Server security.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server security Secure SQL Server from SQL injection attacks How insiders hack SQL databases with free tools and a little luck Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks Get your SQL Server security goals in order Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed SQL Server database design and modeling Check SQL Server database and log file size with this stored procedure SQL Server tempdb best practices increase performance FAQ: SQL Server databases how-to How to maintain SQL Server indexes for query optimization How to retrieve SQL Server database disk space in use Maintain large SQL Server database and resolve website 'Timeout Error' How to construct and use SQL OUTER JOINs optimally How to use the LEFT vs. RIGHT OUTER JOIN in SQL Using the FULL OUTER JOIN in SQL SQL OUTER JOIN sample statements for queries Microsoft SQL Server Should you upgrade to SQL Server 2005 or SQL Server 2008? SQL Server data conversions from date/time values to character types Using full-text search for symbols in SQL Server Monitor database mirroring and replication after a SQL Server upgrade Basics for working with DATETIME and SMALLDATETIME in SQL Server 2005 How to configure Database Mail in SQL Server 2005 to send mail Upgrade live applications to SQL Server 2005 for high availability How to use rank function in SQL Server 2005 SQL Server high availability when upgrading to SQL Server 2005 Secure SQL Server from SQL injection attacks RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.