Database services are essential in most organizations. As with other services you offer, you want to securely configure database access. Microsoft SQL is a relational database management system in use in many organizations. The Gauntlet Firewall includes a proxy that securely allows connections between Microsoft SQL clients on the inside network and servers on the outside network.
This chapter discusses the concepts behind the SQL Server proxy and explains how it works, how to configure it, and how to use Microsoft SQL services. The chapter consists of these sections:
The SQL Server proxy is an application-level proxy that provides configurable access control, authentication, and logging mechanisms. The SQL Server proxy, which runs on the firewall, passes Microsoft SQL requests through the firewall (at the application level), using rules you supply. You can configure instances of the SQL Server proxy to service:
Microsoft SQL client-to-server communications
Microsoft SQL server-to-server communications
For each instance of the SQL Server proxy, you can configure the proxy to allow connections based on:
source IP address
source hostname
source port
destination IP address
destination hostname
destination port
Using these options, you can configure the firewall to allow Microsoft SQL clients on certain trusted hosts to access a Microsoft SQL server on an untrusted host. Employees working behind the firewall can access Microsoft SQL databases at customer sites. You can also configure the firewall to allow Microsoft SQL servers on opposite sides of the firewall to communicate. A Microsoft SQL replication server can communicate with another Microsoft SQL replication server on the other side of an intranet firewall.
You can configure the SQL Server proxy to allow Microsoft SQL clients on untrusted hosts to access Microsoft SQL servers on your trusted networks. According to most security policies, including the Gauntlet Firewall default, allowing untrusted hosts such access is not a good idea. If you must allow this sort of service, consider using client-side password encryption. Consider limiting the databases and data to which users have access, because all of the data is transferred unencrypted.
The proxies log all successful and unsuccessful connection attempts and the amount of data transferred.
These access controls allow you to have much more control over the connections to and from your system than without a firewall. The logging capabilities are also much more extensive.
The firewall runs different instances of the SQL Server proxy (mssql-gw) as daemons on different ports for different Microsoft SQL applications. Whenever the firewall receives a Microsoft SQL request on one of these ports, the SQL Server proxy checks its configuration information and determines whether the initiating host has permission to initiate this type of request. If the host does not have permission, the Microsoft SQL daemon logs the connection attempt and displays an error message.
If the host has permission, the proxy logs the transaction and passes the request to the destination host. The SQL Server proxy remains active until either side closes the connection.
The default service groups do not allow either inside or outside hosts to use the SQL Server proxy. The recommended configuration allows trusted hosts to access Microsoft SQL servers on untrusted networks. The recommended configuration does not allow untrusted hosts to access Microsoft SQL servers on trusted networks.
While the SQL Server proxy does perform checks to make sure the packets appear to be Microsoft SQL packets, someone could spoof this protocol. The SQL Server proxy does not perform any user authentication. You are relying on the authentication mechanisms of the Microsoft SQL server to control access to your Microsoft SQL server and its data.
To access the SQL Server proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the proxies to enforce company security policy, and enabling the proxy.
When planning the Microsoft SQL service proxy:
Determine which Microsoft SQL servers users need to access. Determine whether you want to limit access to a particular server or not. Obtain host name or IP address information for each server.
For each server, determine the port(s) on which the server accepts connections.
Determine which external hosts can use these services.
Determine which internal hosts can use these services.
Configure the SQL Server proxy to enforce company security policies.
To configure SQL Server proxy settings:
In the SQL Server window, configure the SQL Server proxy settings.
SQL Server Service is
Select Enabled or Disabled.
Child Limit
Maximum number of child processes the SQL Server proxy allows to run at a given time.
Timeout
Number of minutes the connection can be idle before it is disconnected.
Add SQL Server configuration sets as appropriate.
To add an SQL Server proxy configuration set:
In the SQL Server window, click Add.
The Add SQL Server Services window displays.
Provide information about the hosts on which you are running the Microsoft SQL service.
Name
Name for this SQL Server configuration set.
Description
Description for this SQL Server configuration set.
Port
Port number on which the proxy runs. The default is 1612.
Use a reserved Port
Check if you are using a reserved port, one with a port number less than 1023.
Source Address
IP addresses of hosts from which connections can originate. Specify single hosts, entire networks, or subnets. Specify by IP address or host name. The wildcard * is valid in hostnames.
Remote Host
IP addresses of the host to which the SQL Server proxy connects. Specify single hosts, entire networks, or subnets. Specify by IP address or host name. The wildcard * is valid.
Remote Port
Port on the remote host to which the SQL Server proxy connects.
Use IP of originating host source
Check to use the IP address of the originating host as the source address. Leave blank otherwise.
Click OK.
The SQL Server window re-displays.
To modify an existing configuration set:
In the SQL Server window, select the configuration set you wish to modify.
Click Modify.
The Modify SQL Server Services window displays.
Make the desired modifications to the configuration set.
Click OK.
The SQL Server window re-displays.
To delete a configuration set:
In the SQL Server window, select the configuration set you wish to delete.
Click Delete.
The configuration set disappears from the list of configuration sets.
To enable the SQL Server proxy service:
In the SQL Server window, make sure Enabled is selected.
Add the SQL Server proxy configuration to the service groups you want to use the Microsoft SQL proxy.
Before exiting the Gauntlet Firewall Manager, save and apply your changes.
The firewall enables the SQL Server proxy.
Add or modify the interfaces file on the client to provide information about the Microsoft SQL server:
To configure Microsoft SQL clients:
Specify the port number you selected for the SQL Server proxy.
If you are using transparency (the default configuration), specify the hostname as the hostname of the actual system running the Microsoft SQL server. If you are not using transparency, specify the hostname as the IP address of the firewall.
If you are using server-to-server communications, configure all servers as clients. Consult the Microsoft SQL administration documentation for further information on configuring clients for accessing servers.