1

There are the following parameters: I use the FirebirdSql.Data.FirebirdClient library in asp .net Now, at the test level, I connect to the remote database using the line:

string workbase = "Server="public ip";Port="port";User=sysdba;Password=masterkey;Database=C:/path/db.FDB";

Further are connection methods, requests, transactions, commits, etc.

 string sqlcardpin = $"SELECT.....";
    var connection = new FbConnection(workbase);

Question: is it safe? Is traffic encrypted? where can I read about it? How should I connect?

From my modest brain efforts, the following goes: I need to have a service in a local network with a database, to which a secure connection goes, and this service has credentials for connecting to the database and performs operations with it, maybe I'm wrong, please correct me.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
hamaronooo
  • 471
  • 4
  • 20

2 Answers2

4

If 'public ip' is a publicly routed IP address, and port 3050 is open to the whole world, that is not safe. Don't expose your database server to the world, it will create a very wide attack surface to get at your data.

For example, Firebird 2.5 and earlier have a very weak authentication system (max 8 character passwords), and while Firebird 3 introduces a new, more secure authentication mechanism that allows much longer passwords, for various reasons, a lot of servers are still configured with the weak authentication (also) enabled. Also consider bugs that might allow people to circumvent authentication, or that could allow people to remotely crash your database server, etc.

As to encryption, Firebird 2.5 and earlier have no encryption of the connection. This was introduced in Firebird 3, and only for connections authenticating with the new SRP (Secure Remote Password) authentication mechanism, and only if the WireCrypt setting of the server is Required or Enabled and the client actually requests authentication. For C#, this requires Firebird ADO.net provider version 7.0.0.0 or higher. However, the wire protocol encryption offered in Firebird 3 is the relatively insecure RC4 encryption; Firebird 4 will introduce ChaCha-20 as an alternative wire protocol encryption.

So, your database should be on the same network as your application, preferably on an IP address that is not routable over the internet (ie in one of the private ranges), or at least shielded from the internet by a firewall. If for some reason you need to connect to a remote database over the internet, do not expose the database directly to the internet, but use a VPN solution, or maybe something like an SSH-based tunnel.

And as corradolab points out in their answer, don't use masterkey as a password for SYSDBA. In fact, don't use SYSDBA for your application to connect, but create a specific user and assign it the necessary but minimal rights for it to do its work.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
4

You didn't say if the web server and the database server are on same or different site, but, anyhow,

do not expose a database server to the public Internet.

If web and database server are in different sites, consider using a firewall (on the database) to allow connection only from the web server address or a VPN between the two sites.

If they are in the same site, expose only the web server to the Internet (put it in DMZ) and keep the traffic to and from the database server on the private LAN.

BTW Having Firebird on the Internet using sysdba/masterkey is like going around with "kick me" written on your back. Don't be surprised if it hurts. :)

corradolab
  • 718
  • 3
  • 16
  • Thank you very mutch. So, if u can, please give me some links where I can read about so practice realization? Thank you. – hamaronooo Aug 05 '20 at 14:14
  • Broad request, and pratical implementation depend on your actual environment, but to get you started: https://networklessons.com/cisco/ccna-routing-switching-icnd2-200-105/introduction-to-vpns https://www.acrosec.jp/dmz-intro/?lang=en – corradolab Aug 07 '20 at 11:23