• 0

Question about Firewall operation


Question

We are running an SQL server in our office, every user is running a custom software that is fed by the SQL.

We have a firewall on our server, with IP addresses allowed for remote access using the custom software.

However, as you all would know if IP address changes, we lose access, until someone calls in with IP address so we can add to safe list, and manually remove the old IP address, but this is not an option during off-hours.

Adding IP range would be too risky. Having individual users run a gotomyPC or VNC would be a training nightmare as some of the users have no clue about operation of firewall or remote connection. (Not only they need to be trained on remote connection, but we would also have to allow them to modify firewall settings & access our server as administration)

I thought about MAC address related blocking/safe-list, but I assume that's not really an option.

Are there any firewalls (soft or hardware) that uses secure encrypted certificates on each workstation/laptop to allow remote access?

Or firewall that has small remote clients that continuously running on windows allowing firewall to let them in the network?

Any suggestions are highly appreciated.

Link to comment
Share on other sites

13 answers to this question

Recommended Posts

  • 0

Sounds like you need to setup a VPN Server so people can just VPN client to the network and then use the internal IP address to access the SQL server.

Aye this is the more elegant solution

Link to comment
Share on other sites

  • 0

Yeah a vpn would be the correct solution. This can bet setup so they have to have a cert to auth with, and then even when they vpn you could limit what they have access to, etc.

Openvpn is a free solution that is quite easy to setup.

I run it to access my home network, and have key to auth with.. Which you could also require unsermane and paswords on top of that - you can always revoke a key that you feel has be compromised, etc.

Also I have to wonder if you directly access SQL across the public net, is this traffic encrypted? Just because you lock down who can connect and generate traffic does not mean there is nobody in between the client and the server looking at this traffic if not encrypted. With a VPN your end to end traffic would be secure.

example of key to auth with

post-14624-0-10133100-1314210462.jpg

Link to comment
Share on other sites

  • 0

Thanks for all the suggestions (there is really one: VPN) :)

We still need a firewall, and if you have any suggestions on a firewall that comes equipped with VPN, something easy to manage and set up, that would also be a good alternative.

BudMan, I have never used openVPN or set one up on a server.

How does it actually work? To access the server, you have to first run the VPN and then all traffic is routed through server internet and it acts like a local workstation in the office? Can you still access the networks where the computer is located or do you have to disable vpn first for that?

Link to comment
Share on other sites

  • 0

sonicwall is about as easy as they come. cisco is nice but you need to understand their logic to be able to setup and configure properly (they don't follow the bouncing ball instructions that most other companies do).

Link to comment
Share on other sites

  • 0

You can set it up both ways, you can force all traffic through the vpn. Or you can allow for split tunnel - and route traffic that is destined for the network on the other side of the vpn if you want.

For example I am currently at work, but through my vpn connection to my home network - I can also access my home networks resources.

Its not that hard to setup, and yes there are plenty of firewalls that have vpns built in - shoot, any router running dd-wrt for example can be used firewall and openvpn connection into the network.

http://www.dd-wrt.com/wiki/index.php/OpenVPN

There are plenty of vpn solutions you could go with, Im a fan of openvpn because its FREE for one, and second its SSL based so only 1 port required and no other protocols need to be allowed like with ipsec, which quite often can be blocked depending on where your located.

I currently use pfsense as my home firewall/gateway and openvpn is built right in, takes like 10 minutes to setup.

Link to comment
Share on other sites

  • 0

Budman, to answer your question about security of the connection/data, the information sent from SQL server is not directly to workstation software, basically there is a small server side program running on the SQL machine, the data is fed from SQL to that "Server" software, and each workstation accesses the server software and instructions/data exchange is routed via that server software. I am not sure if the software encrypts anything it gets from SQL and workstation client software decrypts and displays, but I doubt it. After all the data is just plain text, there is not much confidential information. There are no bank account numbers or social security numbers, sure nobody would want their data compromised, however since they do provide remote access as long as the IP address is allowed on the server firewall, I assume they must have thought about it.

It seems you are using pfsense as a standalone computer/router.

+sc302, thanks I can look into sonicwall, of course, but I would need something basic. I was told by our branch office, they are using Sonicwall TZ100 to manage their internet traffic/switching. Would that be something I can use? Or are there lower cost firewalls that I can buy and use as both hardware firewall (eliminate the software firewall running our server) and also use with OpenVPN. Like I said, security is important, but I really dont need 129381bits of encryption, standard security should be more than enough, and something that will just block incoming requests/attempts and allow dedicated IP address to access, that's it.

xendrome, I just saw your reply right after I posted this.

Link to comment
Share on other sites

  • 0

you can use open vpn with the sonicwall and close up any ports to that server. you can add the sonicwall vpn service to your firewall and close all ports if you wanted to do it that way. sonicwall is alacarte, everything is purchasable...nothing is really free.

the simplest and easiest solution is to enable a vpn, it will do what you want. I have more sensitive data than you do (trust me on this) and it is secured via a vpn connection. most financial institutions as well as many government institutions rely on vpn security. many of them use vpn + rsa secureid to secure access to only individuals who are truly meant to have access (if you are unfamiliar with this technology it is a password generator that is in sync with the server at the office that hosts the vpn, it generates a vpn password once every 60 seconds randomly...you don't have the right password at the right time you aren't getting in).

Link to comment
Share on other sites

  • 0

I did a bit of research, and found out about Netgear UTMs

Here is one: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122336

What do you think about this? There is nothing that needs to be installed on the client (other than few activex/java scripts) and no cost per user, since it is all done via browser.

What I would like to know is, when this is connected, how does the software know it needs to route/connect through VPN? I know Budman mentioned split tunnel, but what determines which traffic should go through VPN and which traffic through "home" internet? Is it set program-wise somewhere? Such as "MSN Live Messenger, Windows Media Center, Windows Media Player: Route via Home Network" "Inventory Control Systems 2.1: Route via VPN"?

Some info found here: Configuring UTM for SSL VPN Tunnels [PDF]

And here: [Link] It says VPN Lite requires license. I assume VPN Lite is not really required since UTM loads a script. I wonder if I can try this somewhere.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.