How secure is your SQL Server network design?

Firewall or not, database security weaknesses at the network layer are introduced for one simple reason: convenience. IT administrators have been in a constant battle between security and convenience, long before security was cool. Be it a less-visible internal system or an Internet-facing e-commerce application, the time and effort required to implement the solution ASAP often beat out any attempt to deploy things securely. It's the path of least resistance. It's "time to market." It's whatever it takes to get it done and then move on to put out the next fire. Sure, you reach a solution more quickly, but it's not good for business. We've all been guilty of such practices.

The convenience element is what leads to putting SQL Server systems on the network where they shouldn't be. Oftentimes, the servers are directly accessible from the Internet. I've recently seen this very thing: a SQL Server system directly accessible from the Internet – all because business partners needed easy access to the data. A better plan, such as a VPN, introduced too much of an, ahem, inconvenience. Suffice it to say the outcome was not good.

David Litchfield's Database Exposure Survey 2007 confirms that SQL Servers are exposed everywhere. According to Litchfield's research, there are around 368,000 SQL Servers directly accessible from the Internet -- the majority of which are not up to date on patches. What are people thinking? Apparently, the Slammer worm attack on easily-accessed SQL Server systems years back wasn't a strong enough warning.

The Internet issue is obvious, but don't forget about the internal network. I hear about and see a lot of people "VLANing" everything,

More on SQL Sever database security: SQL Server patch pros and cons Reorganize permissions in SQL Server 2005 step by step Logging for security compliance in SQL Server

yet, it's often very simple to track down and connect to SQL Server systems from anywhere inside the building. They're just sitting there – along with all the other servers and workstations – waiting to be poked, prodded and attacked by curious or rogue insiders. With all of the fancy security features built into the network switches, routers and firewalls on most networks, they're still not being used at even their most basic levels. Even old-fashioned packet filtering can do wonders to protect a SQL Server system – if it's used.

It doesn't really matter if it's a critical enterprise application or a benign installation of SQL Server 2005 Express, every database counts. One compromised SQL Server system leads to attacks on others. Check all of your databases to see just how accessible they are. Look at them from every angle: in front of the firewall, behind the firewall and beside the firewall. It pays to use good tools too. SQLPing is a great start for finding live SQL Server systems. Once you track them down, move on to more advanced vulnerability scanners such as GFI LANguard Network Security Scanner and QualysGuard and, finally, database-specific scanners such as AppDetectivePro and NGSSQuirrel to find out how they can be exploited.

Once you take a step back and look at the big picture, it'll be obvious just how important your network infrastructure is when it comes to protecting your databases. Find the flaws and plug the holes using network-layer controls whenever you can. You'll ward off internal and external attacks and be one step closer to reasonable and practical SQL Server security.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, speaker and expert witness with Atlanta-based Principle Logic LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments regarding compliance and risk management. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels information security audio programs providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT SQL Server Security Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification Securing SQL Server with access control, login monitoring and DDL triggers SQL Server security: Controlling access via database roles SQL Server Database Modeling and Design Optimizing SQL Server indexes –- even when they're not your indexes Top tips and tricks for SQL Server database development Managing the development lifecycle with Visual Studio Team System 2008 A first look at Visual Studio Team System 2008 Database Edition Testing transaction log autogrowth behavior in SQL Server Top 10 SQL Server Tips of 2008 Tutorial: SQL Server indexing tips to improve performance Tutorial: Learn SQL Server basics from A-Z SQL Server database design disasters: How it all starts Can you shrink your SQL Server database to death? Database Administration Hardening the network and OS for SQL Server security Securing the server and database in SQL Server How SQL Server 2008 components impact SharePoint implementations Troubleshooting Distributed Transaction Coordinator errors in SQL Server Clearing the Windows page file and its effect on server performance Push vs. pull: Configuring SQL Server replication Setting up SQL Server Service Broker for secure communication Top load balancing methods for SQL Server Performance implications of transaction log autogrowth in SQL Server The keys to database backup protection for SQL Server RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.