I've talked off-channel to another frequent contributer to this mail list about how much do we help people, and how much are we actually just handing them a shovel to help them dig themselves a deeper hole. Internet security is not a subject to be taken trivially. Sometimes, the consequences are minor. Sometimes they are not.
So, that being said, please take this in the spirit intended... but you need a experienced security expert for whatever task you are looking to do (in fact, I would recommend several). Your design is very flawed, at least as I understand it. If you are messing with SQL databases, you presumably have valuable data on them. They don't belong directly on the 'net! Your proposed design sounds very dangerous, and I urge you to look carefully at any liability that you might get into should your system get cracked. I think the law is a bit unclear right now in this, but I'd be terrified of what liability you might face should you put a system up as you propose, and someone's personal information got into the wrong hands through negligence. If someone robs a bank, it is the robber who breaks the law. However, if the bank left your valuables sitting outside on the sidewalk, well, you can bet the bank would be in hot water, too. And banks are easier to catch, and normally have "deeper pockets". This is NOT something you want to blunder your way through. As I mentioned earlier, I recommend several people look over the final design -- I looked over a system for a friend of mine a while back, he worked for a company who's products many people may know. I was the *fifth* person to look the system over. I was also the FIRST person to note the web server was live on the Internet, and was accessing the SQL server they had through the firewall. Through the firewall was going to be going all kinds of customer information, including credit card numbers, and the server on the "inside" of the firewall (but accessable externally!) held all the company's accounting info...a serious jackpot for any cracker...and it is a high-enough profile company that you can be sure they'd be worked over). They had no PSN/DMZ! Actually, that was not entirely true, the installers (a "little" company called GTE... yes *THAT* GTE. The phone company GTE. I'll name that name because of their guilt and people need to be warned that very big names can make big mistakes, too) had taken a network map, and drawn a circle around a part of it and labled it "DMZ". Yes, it was a firewall made out of pencil lead. What had happened is a dealer sold them the GTE firewall service, without any consideration of their actual needs, they hoped GTE would figure it out. GTE's salesperson walked in, sold a very expensive product and service, but again, with no consideration of what the customer really wanted or needed. They sold them an "office" firewall service for a E-Commerce application. The poor tech who did the install didn't want the headaches of fixing the problems, so he just installed it the best he could (and considering what he was probably paid, I understand). After it was installed, three other people looked the system over, no one before me noticed the web server was actually SITTING live on the 'net! I did that job as a favor to a friend...I wouldn't bill for a job like that, I don't want my name associated with the fiasco in any way. In case you are wondering, the hardware they used cost several times the cost of GBPro, the software several more times the cost of GB-Pro, and the "support services" were AGAIN several times the cost of GB-Pro annually, and did NOTHING useful that GB-Pro wouldn't have done for a small fraction of the price. They felt safer by spending too much money. However, I also wish to point out that the firewall they had purchased was not defective or flawed -- it was the implementation that was flawed. And just because I say get a security consultant involved doesn't mean I don't think you should know PRECISELY what is going on in the system -- ultimately, the people responsible for the safe operation of the system are the owners, you must know what is going on. Nick. Andre Champoux wrote: > I got the GNAT setup and everything is going pretty well, but now I'm > getting into stuff I'm not all that familiar with. The end goal that we > would like is to setup the replication between two SQL Servers. One SQL > server is on the Public Internet and the second is behind our GNAT firewall. > It looks like we need to have the Netbios ports open in order to do the type > of authentication the database is using. What are the steps that I need to > take in order to setup a Netbios tunnel that is allowed from only specific > IP addresses? Any suggestion would be appreciated. > > Thanks > > Andre
