locked
SSL Connection from web server to DB server with no external IP Address. RRS feed

  • Question

  • Hello folks, hope you can help....

    Scenario..

    We have 2 physical servers, one web server and one db server (hosted).

    We then have a hosted firewall sat infront of these machines.  This firewall is configured to allow http traffic through to the web server but not the db server.

    The db server has no DNS names associated with it and it is only accessible from behind the firewall.

    The web server connects to the DB server using an internal IP address of the physical db machine.

    Because the machines are hosted we have a requirement to ensure traffic from the webserver to the db box is done over SSL.  Keeping in mind that we do not have an external DNS name pointed to the DB Box and that the firewall blocks all external traffic to and from it (bar RDP) I'm just wondering how on earth we would go about generating a certificate for this server?

    In case you are wondering why we are doing this, it is to prevent someone at the hosting company intercepting traffic between the web and db servers (man in the middle attach).  All the data in the db is encrypted so we need to make sure the traffic is encrypted between the physical machines.

    Friday, February 24, 2012 1:32 PM

Answers

  • You could still give it a DNS name inside the network and then use local CA authority to provide the certificate for you.  

    that most of the time, getting an SSL cert just requires you to have outbound connectivity to the https  CA authority site so the server itself does not have to be exposed to the internet per se.  

    p.s. good point on the security topic/trust.

    • Proposed as answer by yaphets Monday, March 5, 2012 9:42 AM
    • Marked as answer by Iric Wen Wednesday, March 7, 2012 6:35 AM
    Monday, February 27, 2012 7:29 PM

All replies

  • Potentially, you could do a self-signed certificate in the database server and export that into web server.

    it also seems odd that you do not trust your hosting providers.  If anything and if they really wanted, they could just go to your server and hook something on a usb port.  

    if you're data requires such great security to be encrypted at REST and at TRANSMISSION but you do not trust your hosting provider, you might consider dfferent hosting company (my 2 cents here)

    technology wise, doing a self-signed certificate might help you get around this issue.  it will be interesting to see what others think. 

    Friday, February 24, 2012 8:46 PM
  • Hi Mark,

    Microsoft SQL Server can use Secure Sockets Layer (SSL) to encrypt data that is transmitted across a network between an instance of SQL Server and a client application. SSL can be used for server validation when a client connection requests encryption. We need a SSL certificate to using SSL.

    Here is a reference about SSL in SQL Server, it contains SSL configuration for SQL Server and Certificate Requirements:

    Encrypting Connections to SQL Server


    Best Regards,
    Iric
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, February 27, 2012 8:25 AM
  • Hi Edgar,

    We do trust our hosting provider, if we didn't we wouldn't be with them but unfortunately in the world of data protection "trust" simply doesn't cut it. 

    Take PCI Compliance as an example, you may trust your employees but there is still the requirement to ensure that you are taking every step to ensure that the data is secure be that through audit trails, user authentication, CCTV and/or database encryption.

    There is always a risk at every company that you may get a 'rogue' employee that decides that they want to steal the data and it is our job to ensure that we take every step possible to make that task as difficult as possible irrespective of whether the servers are physically in our building or at a seperate hosting company. 

    Remember that failure to prove that you followed and implemented the requirements can leave you exposed to potentially huge fines, i.e. I don't think "but we trust our employees" would be much defence.  To coin a phrase from a movie "It's not what you know, it's what you can prove that counts."

    Monday, February 27, 2012 10:28 AM
  • Hi Iric

    I know that MS SQL Server can use SSL, my question is;

    "Because the machines are hosted we have a requirement to ensure traffic from the webserver to the db box is done over SSL.  Keeping in mind that we do not have an external DNS name pointed to the DB Box and that the firewall blocks all external traffic to and from it (bar RDP) I'm just wondering how on earth we would go about generating a certificate for this server?"

    i.e. HOW do I generate a certificate for a server that is not visible to the internet and as such is mapped to a DNS name.

    Cheers

    Monday, February 27, 2012 10:31 AM
  • You could still give it a DNS name inside the network and then use local CA authority to provide the certificate for you.  

    that most of the time, getting an SSL cert just requires you to have outbound connectivity to the https  CA authority site so the server itself does not have to be exposed to the internet per se.  

    p.s. good point on the security topic/trust.

    • Proposed as answer by yaphets Monday, March 5, 2012 9:42 AM
    • Marked as answer by Iric Wen Wednesday, March 7, 2012 6:35 AM
    Monday, February 27, 2012 7:29 PM