is there any security threat?

Report · Jul 30, 2009

Hi Group,

I have my IIS webserver outside the fire wall and my coldfusion application server and SQL Server is behind the firewall . Can IIS Still access the cold fusion application server and SQL Server for coldfusion pages, is it for this situation do i need to open the port no 1433 in the firewall for SQL Server, if so is there any security threat?
Thank You for your Time

Report · Jul 31, 2009

There is always "a security threat," but if we tried to absolutely eliminate them we'd never be able to get any work done.

What I would do is this: add a firewall rule which permits the IP-address of the CF server to send non-forwarded packets to the IP-address of the SQL Server, either on the same port or (just to be different) a different one chosen at random by you. Arrange for the CF server to log-in to the SQL Server using a mechanism that doesn't involve secrets, like passwords. And, cause it to log-in using a restricted SQL Server user-ID which is permitted to do only what you intend for it to do.

If the information is highly-confidential, you can also arrange for the CF application to talk strictly to a web service on the inside. The web-service, not CF itself, is the one that has the authority to talk to the database. (You can, in fact, set up such a service using a second instance of ColdFusion... "why not?") Once again, firewall rules permit only the outward-facing CF server to talk only to the inward-facing one, only through a specified randomly-chosen port and permitting no forwarded packets.

As always, research to find any technology that you can "cabbage" to do these things. Look for existing best-practices that might be applicable. You are by no means the first one to face these objectives.

Report · Aug 05, 2009

You can run CF in a distributed mode if it is running on JRUN. So the IIS server would only need access over JRUN ports (which are uncommon) to the CF server.

This is a little harder to setup, but is covered in the livedocs.

Alternately, if the person who does your firewall knows how to, you can place everything behind the firewall and segment the firewall into zones, so only your application has access to the database.

Then your only concern would be what code is being placed on the server and by whom, internally.

Of course, if your internal network is not secure and accessible, this is a "way in".

Best practice is to allow no access, and grant only what is necessary. This applies to all networks and routes that would have access to the entity being protected.

There is also something to be said for security by obscurity. Meaning if you have to make 6 jumps to upload code to your server, and only a handful or people know this process, that makes it all the harder to be compromised.

Byron Mann

mannb@hostmysite.com

byronosity@gmail.com

Software Architect

hosting.com | hostmysite.com

http://www.hostmysite.com/?utm_source=bb