Tuesday, February 14, 2012

Design Help – Access SQL Database behind a firewall from ASP .NET pages.

Hi,

I am new to internet development and would like some advice on the technology used to access a SQL database that sits on a network behind a firewall.

** ASP .NET Page ** -> ** Web Server ** -> ** FIREWALL ** -> ** SQL **

So to give an example; from an ASP .NET page on the internet, I would like to populate a DataGrid with the contents of a single table from a SQL database. The SQL database is sitting on our company network behind a firewall.

Could someone please explain / point me in the right direction in how the ASP .NET page / Web Server can securely access the SQL database.

Thanking you in advance
ScottThe firewall needs to allow SQL access between the WebServer and the SQL server. This is usually port 1433. Only requests initiated by the webservers IP should be allowed to get to the db server.

You could also put together some web services on SQL server to send back datasets through the firewall (assuming its running iis and the .net framework).

Then you would just need to open port 80 between the webserver and the sql server. The webservices we run on our db server required an encrypted key as part of all method calls to insure that only we can run them.

No matter which way you do it, your opening a hole in your firewall for communication to occurr between the two boxes.|||Mbanavige – thanks for your reply. Can I confirm my understanding??

Option 1.
The firewall opens port 1433 with an additional rule to only allow the IP address of the web server to communicate on port 1433. As such this allows web server code to create a connection string to SQL? How would I fully qualifying the connection string server property - <SQL Server NetBIOS Name><domain>??

Option 2.
Have a second web server (internal) running on the same box as the SQL server. The internal web server will host web services, which can be called from the external web server. This requires the opening of port 80. Further security is added with the use of an encrypted key required for all method calls. How is the encrypted key implemented?

Is there an industry preferred solution?

Is option 2 more secure against SQL attacks since SQL access is further controlled through the use of web services?

Thanking you again in advance for your replies.
Scott

Posted by impe at 8:21 AM
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)