5

I want to expose my sql server instance via the internet. I've been programming asp.net to sql server for a long time, but for the first time i'm hosting the sql server myself instead of the clients server. So what i want to do is move my sql server from my dev machine at home to a virtual server (yet to hire). But of course i don't want anyone to just enter my sql server but just a few persons. So what i was thinking was to allow only a few ip addresses to the sql server instance.

Can anyone tell me how i can expose my sql server to the internet and limit the access to the instance to only a few ip addresses? And ehm, if you know even better ways to secure it, i'd be happy, because this is the first time for me :)

Michel

Sunny
  • 5,834
  • 3
  • 22
  • 24
Michel
  • 239
  • 2
  • 4
  • 10
  • If you expose any sql server instance via the internet, be very careful that you know what you are doing and set it up correctly. A VPN would be preferred... – Mitch Wheat Mar 08 '10 at 14:27

3 Answers3

2

You can use IPsec or the Windows Firewall to do this.

The version of Windows will determine how you do this. More recent versions - eg. Windows Server 2008 and 2008 R2 expose this ability through the Windows Firewall in the control panel.

You'd want to make sure SQL Server is listening on a fixed port number, and then control access to that port by configuring a firewall rule to just allow a specific IP address (or subnet) to connect.

I did a similar thing for a SQL 2000 cluster running on Windows Server 2003. In that case we scripted a whole bunch of IPsec rules to allow only specific machine to be able to connect to the SQL port.

David Gardiner
  • 503
  • 1
  • 5
  • 12
  • I'm not realy familiar with 'IPsec', is it possible to explaint it in a few lines? – Michel Mar 17 '10 at 15:21
  • 1
    Usually IPsec is used to encrypt and/or authenticate packets. It is possible however to configure it it to work like a 'whitelist' with encryption disabled - all packets are blocked except if you from a specific IP address. See http://en.wikipedia.org/wiki/IPsec for a full description – David Gardiner Mar 26 '10 at 03:46
  • 1
    My comment about using IPsec was that from memory Win2K3's firewall didn't provide the amount of granuality to allow a defined set of IP addresses access. IPsec did provide this functionality. If you're using Win2K8 then the new 'Windows Firewall with Advanced Security' should allow you to achieve the same result with a nice GUI. – David Gardiner Mar 26 '10 at 03:50
1

Install some SSH server on the box, then using PuTTY or any other ssh client, tunnel the SQL server port over the SSH connection. Set server's firewall to allow only SSH connection.

The clients will use the SSH tunnel to reach the server.

Another option would be to use some sort of VPN, but for few persons, the SSH approach is better.

Sunny
  • 5,834
  • 3
  • 22
  • 24
0

You could install an ISA 2006 server, create a server publishing rule for SQL and then allow access to certain ips from the internet. This to me is the most secure way to do this, as you are not exposing the SQL server directly on the internet. Instead the external ip of the ISA server is the one that is exposed to the outside world. Also ISA acts as firewall too. I have implemented this in my shop and things are working fine.

Eugene