2

Quick intro: Small company, VERY limited resources. I pretty much do everything including take out the trash.

We've been running an instance of MySQL internally for years and it's worked OK, but I think this is largely just good luck. We have several client computers that are deployed to vendor locations and at times trade shows. These client machines need access to the database. Currently we are facilitating the secured access through a VPN to our network. Our firewall does not have a hole open for MySQL.

The VPN solution is a pain and has it's own security implications. I'm also increasingly nervous about keeping my own MySQL instance online and available. I came across Amazon AWS's RDS service and it sounded PERFECT! However, I ran up against the security group issue right away and realized that I would need to grant full, unlimited access to all IPs due to the fact that I have no control over the IP ranges of the client machines. Trust me on this one, I have no idea what their IPS will be.

I've read that it is a very bad practice to expose a DB to the public and that when you absolutely must do this it's better to deploy a web services API to the DB. It would be nice to do this, but there is no way that I have the time (at this time) to write a web services endpoint for all out applications.

So finally.... my question: What are the threats that we would face by exposing our DB instance to all IPs? We aren't a bank, we aren't a public company - no one even really knows about us so it seems that a targeted attack is unlikely. However I'm completely ignorant of security threats and "what's out there" - are there threats that scan all IP ranges looking for a server to respond, then when it does they attack "just for fun"?

To be clear, I KNOW this is against best practices and I don't need a lecture, I'm looking for real-world advice on the likeliness of attack - if that's possible to determine.

BTW, I found this question and it is related but not exactly what I need. I just wanted to include it so that others don't respond by linking to it. Public Amazon RDS database?

Community
  • 1
Steve K
  • 327
  • 1
  • 6
  • 14
  • 1
    Maybe ask on http://security.stackexchange.com – HTTP500 Sep 08 '11 at 17:01
  • 2
    Perhaps consider using server *and* client-side SSL certificates with MySQL instead of VPN. See: http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html – HTTP500 Sep 08 '11 at 17:29
  • Thanks for the link, I hadn't thought of that and it just may be a good option. – Steve K Sep 08 '11 at 23:58
  • number one attack vector will be injection attacks, so depending on your code you may be somewhat secure. btw in the past I've left a few db servers exposed on the internet as honeypots to see what would happen. The only thing that I did was created a strong pw and used code that was mostly imprevious to sql injection attacks, had lots of attempts but not successful hacks... – tony roth Sep 09 '11 at 04:35
  • @tony - no web apps, just WinForm and WPF clients with authenticated access by my employees only. So even less of an injection threat. Still, it's possible... – Steve K Sep 09 '11 at 04:38
  • sorry number one attack vector is weak passwords, is authentication controled via AD? – tony roth Sep 09 '11 at 04:40
  • sorry jumped in with out reading carefully mysql not ms sql... – tony roth Sep 09 '11 at 04:45
  • not totally familiar with mysql so I don't know what its password policy capabilities are... – tony roth Sep 09 '11 at 04:47

1 Answers1

2

If it has a port open to the net, it's a target. As simple as that. There is very hostile environment out there, and botnets provide plenty of resources to probe whatever lives on the net.

If you are in a hurry and the current solution is painful, but works, I wouldn't touch it. Give it more thought, research your options and don't act until you know what you are going to implement and why.

Paweł Brodacki
  • 6,511
  • 20
  • 23
  • "If you are in a hurry and the current solution is painful, but works, I wouldn't touch it." <- That is sounds advice, thanks. – Steve K Sep 09 '11 at 04:37