Security risk with remote access to sql server?

Question

I wish to access a company sql server database externally. I can access the database currently through use of Remote Desktop Connection, but this is not adequate for certain database tools running off my computer.

Before I enable external access to the sql server... (http://blogs.msdn.com/b/walzenbach/archive/2010/04/14/how-to-enable-remote-connections-in-sql-server-2008.aspx)

are there any security hazards I should be aware of? The server has multiple users, and I can double check to ensure that all have strong password protection. Beyond that, is there any risk that I am unaware of? Is there any particular reason why one should not allow external access to an sql server?

Thanks

Answer 1

As to accessing remotely a DB server there are several issues you have to take into account:

• Database can be a subject to denial of service or distributed denial of service attacks
• Despite of your strong password policy, passwords can be broken (brute forced or with dictionary)
• Yet unknown database software vulnerabilities are laying wide open to everyone in the Internet

So if you have to do this consider VPN to remote server and then access db via local network interface. Or you might consider some SSH tunneling, and poking holes for your ip in your firewall. You might also want to consider stronger authentication schemes like certificate authentications, also accessing via SSL.

IMHO the best option is VPN terminated on remote server and database accessible via local interface.