Firewall Wizards mailing list archives
Re: Best practice suggestions for SQL and mapped drive through firewa lls
From: m p <sumirati () yahoo de>
Date: Mon, 4 Mar 2002 16:51:39 +0100 (CET)
Hi Stig, --- "Ravdal, Stig" <stig.ravdal () digitalpaper com> schrieb:
The proposed solution is to map a drive through the firewall and from what I can understand it would suffice to open up TCP 139 on the firewall to do this (using NetBIOS over TCP/IP and ignoring UDP 137/138). Yeah it's not the most secure and I would appreciate any and all comments as to why one might NOT want to do this.
first: I do not know, if there kann be a connect when the Ports 137/138 are closed. The problem with NetBIOS is that the information transported are not only "file shares" but a whole access to that machine via NetBIOS - you can use nbtstat and similar tools to get more information/do more things than wanted. Through your email you made not clear if the users (your customer) have to map the network share or your database. If it is the database thing about redesigning the whole thing in a more secure and logical way. A application which needs a database should not need normal access to that machine.
Connection to the Database would be using ODBC over TCP port 1433. I'm not sure if we can make the client ports static but I think so thus the firewall would be able to allow incoming connections from "web-server" port <static> to "database" port 1433 (or we might even suggest using a less well known port). I'm not sure what the outbound session may look like but if the firewall is stateful (and maybe with inspection) that may be less of a concern.
A static source port will make it not more secure (as far as i "feel"). Perhaps you can alter the destination port - that brings you "security through obscurity". But people are arguing if that is any security itself. In this case it is worth a shot to set the port to 1521 to "emulate" an Oracle DB ;) But if the "hacker" in the scenario get that information be more concerned about a secured database (machine). Here it is essential to strip off the rights of the database user(s) as much as possible - and keep track for the MS SQL Server security record. __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Best practice suggestions for SQL and mapped drive through firewa lls Ravdal, Stig (Mar 01)
- Re: Best practice suggestions for SQL and mapped drive through firewa lls m p (Mar 05)
- Re: Best practice suggestions for SQL and mapped drive through firewalls Mikael Olsson (Mar 05)