Configuring Firewall Security

Often times, applications use non-standard ports to communicate with each other or to provide some common, shared service.  For example, this is usually how databases communicate with client applications, how licensing managers communicate with individual desktops, and how many client server applications exchange data.  To operate, those ports must be open and accessible, frequently to the outside world.

Unfortunately, many IT organizations don’t actively guard against attacks that use these unguarded ports because most firewalls aren’t capable of understanding proprietary application protocols, and hence can’t provide any level of authentication or access control.  Thus, these ports are left wide open, allowing a malicious person the opportunity to attack your application without any safeguard other than your own application’s built-in security.  If an attacker can dissect your application’s proprietary protocol, you could be granting them unintended access to your database and other assets.

Applications built with Iron Speed Designer run in conjunction with a standard Microsoft IIS web server, which uses port 80 and 443 to serve pages to application users.  Data collected from an application user is passed through the web server to the application and then to the database, using a standard N-tier architecture.  This permits standard firewall products to do what they do best – guard against attacks using well-known standard protocols.

Firewall Security for Databases

These scenarios are whether you use Iron Speed Designer or any other tool such as Visual Studio .NET to develop your application.

1. If your database server runs on the same machine as the Web server running your application, there is no issue of opening any ports in your firewall.  All communication between the Web Server and your database is within the same machine.

2. If your database server is running on a different machine behind your firewall, and your Web server is also inside your firewall, then there is no problem with opening ports in your firewall.  This is typically the scenario with internal (intranet) applications.

3. If your database server is running on a different machine behind your firewall, but your Web server is outside the firewall -- typically for external applications -- then the way most IT administrators configure this is to have two Network Interface Cards (NICs) in the Web server; one NIC is connected to the external router and one that is connected to the internal router.  All traffic between the Web server and the database server takes place on the internal NIC and all traffic with external users takes place on the external NIC.  (This is the scenario we use for our own applications).

4. (Not recommended.) You can also open a port on your firewall for your external Web server to access the internal database server.  This is the scenario that you were asking about.

 See Also

Configuring Your System for Application Security

Configuring Microsoft IIS and IIS Express for Application Security

Configuring IIS Express

Active Directory Role Management

Configuring Microsoft Active Directory

Microsoft Authorization Manager (AzMan) Role Management

Configuring Microsoft Authorization Manager (AzMan)

Microsoft SharePoint Authentication and Authorization

Data Transmission Encryption

Configuring Firewall Security

Handling SQL Injection Attacks