SSL to SQL Question

[tjwenger]

[H]ard Users and SysAdmins are the Best, So I'll pose this question to you guys:

(Precursor, I'm a fairly New Network Admin, I inherited a mess with the position and I'm fixing it piece by piece)

We dont use Certificates inside our internal network, as much as I would prefer to, so Im not really up to snuff on my SSL. But here is the scenario I need help with:

We will be using a Hosted service to handle/present(Web) some customer information for a database/Software we use. The External company needs to query OUR internal Database server VIA ODBC (Our SQL Server is handling more than just the single database).

We recently installed an IPS device. We plan on setting up an ISA server to handle authentication on the Edge to work WITH the IPS device.

So The dataflow would be:

External Server ---> IPS(Untrusted) ---> ISA ---> IPS (Trusted)--> OURSQLSERVER

The External Hosted Service obviously Requires an SSL Certificate on our side to encrypt the data before we send it off to them. My Question is - Where the hell do I install this SSL Cert? Their handshake will technically be with our ISA server, So is that where I install the Certificate, leaving the SQL Unencrypted to the ISA, Or do I really need two SSL Certs here, One for the Specific SQL Instance to the ISA, and one to the External Hosted Service?

Thanks for the help guys, I appreciate it!

TJ Wenger

 

[PTNL]

While not related to ISA or security certs.... Granting direct query access to anyone has its risks. Poor queries can do anything from cripple performance to hose data. So I'll just assume that better, more manageable, and isolated ideas were all rejected (ie: web services, custom report construction, etc.) . I'd recommend having a completely separate server that periodically gets its data refreshed from your core DB server.

 

[tjwenger]

Thanks PTNL, Thats the road we're travelling down now. We can't seem to decide weather or not to give the DMZ its own domain as another layer.

Basically we'll be putting a SQL Server in our DMZ that gets its info from an internal database initialized connection.

Thanks PTNL for the response.

 

[da sponge]

You're not going to put the SSL cert on ISA. ISA has no idea how to proxy SQL connections, therefore you can't terminate/bridge the SSL encrypted session on ISA. You'll to have to create a server publishing rule for it on whatever port you're running encrypted SQL (essentially a pass through/port forwarding rule). You're not going to be able to authenticate on ISA either - it's not a HTTP/S connection, so the requestor can't be given a 401 Challenge. You might not want it to be on 1433, so that means a custom protocol in ISA (not too tough).

Another good idea is to restrict the publishing rule to only apply to connections initiated from your external provider.

If you want to do authentication on ISA and still get to use your IPS on the inbound queries, you'll have to set up a VPN connection. Don't make the SQL server publicly accessible - this ensures the service is routing traffic to you over the VPN and keeps you from worrying about a publicly accessible SQL server. You can do everything you want this way, but who knows if your service would set one up.

I've never done encrypted sql, but googling brought up this link; it seems straightforward.
http://msdn.microsoft.com/en-us/library/ms189067.aspx

 

[tjwenger]

Without going into to much detail, We were basically doing it all wrong, We ended up Going with a PAT translation on the Firewall directly to our SQL Server, Which we can then generate the SSL Certificate for. Then we're just securing the third parties ODBC connection.

Thats the Short term, short explanation of what we did.

ISA doesn't come into play here at all, I was chasing down a dead end. Oh well.

Thanks for all your help everyone.