[英]Common practices for SQL Server access from Windows Application on remote network?
Background 背景
We have a Windows .NET application used by our field employees who travel all over the country and live out of hotels most of the time. 我们有一个Windows .NET应用程序供现场工作的员工使用,他们经常在全国各地旅行,大部分时间都住在旅馆外面。 Recently we added some features that connect directly to our SQL Server 2005 for data access (ie SqlConnection.Open()).
最近,我们添加了一些功能,这些功能可以直接连接到SQL Server 2005以进行数据访问(即SqlConnection.Open())。 Since then we have run into some issues with this generating errors indicating an inability to access the server.
从那时起,我们就遇到了一些问题,这些错误会产生指示无法访问服务器的错误。
The intermittent nature of this error among our employees led us to believe that it could be due to a port-blocking issue, and that some hotels may be blocking port 1433 - used by SQL Server. 我们员工之间此错误的间歇性性质使我们相信,这可能是由于端口阻塞问题所致,并且某些酒店可能正在阻塞SQL Server使用的端口1433。 As we began researching this issue, we came across many comments expressing that having port 1433 publicly open is a major security hole, and that it should be limited to internal/local use.
在我们开始研究此问题时,我们遇到了许多评论,这些评论表明,将1433端口公开开放是一个重大的安全漏洞,并且应仅限于内部/本地使用。
Question 题
So my question is this - what alternatives are there for a Windows application to request and receive data from a SQL Server database that will result in better security and bypass common blockages placed by public networks (such as hotel WiFi)? 所以我的问题是-Windows应用程序从SQL Server数据库请求和接收数据有哪些替代方法,这些方法可以提高安全性并绕过公共网络(例如酒店WiFi)放置的常见障碍物?
I know that one option is VPN, but from what I hear it is not uncommon for VPN connection to be blocked on public networks either. 我知道一个选择是VPN,但据我所知,在公共网络上也禁止VPN连接并不罕见。
Yes, use a protocol that is allowed to traverse every NAT/Firewall out there: HTTP. 是的,请使用允许穿越其中的每个NAT /防火墙的协议:HTTP。 In other words, instead of connecting with SqlConnection, add a mid-tier web service layer.
换句话说,不是与SqlConnection连接,而是添加一个中间层Web服务层。 If you think this is complex, see Creating an OData API for StackOverflow including XML and JSON in 30 minutes .
如果您认为这很复杂,请参阅在30分钟内为StackOverflow创建OData API(包括XML和JSON) 。
Having the SQL Server TDS port open directly to the network, even after moving to a non-default port, is a major security headache not matter how you twist it or turn it. 即使将其扭曲或打开,将SQL Server TDS端口直接开放给网络(即使移至非默认端口之后)也是一个主要的安全难题。
Your best bet probably is to use a WebService which will call SQL internally. 最好的选择是使用将在内部调用SQL的WebService。 Then you can publish your webservice to whatever port you need, and the Windows Application (though I'd probably change it to a Web App, myself) can call the webservice on whichever port you've defined.
然后,您可以将Web服务发布到所需的任何端口,Windows应用程序(尽管我可能自己将其更改为Web应用程序)可以在您定义的任何端口上调用Web服务。
I would use a WebService or WCF Service with SSL encryption. 我将使用带有SSL加密的WebService或WCF服务。
You should consider licensing costs too... 您也应该考虑许可费用...
If your users access the sql server it's a license per user. 如果您的用户访问sql服务器,则是每个用户的许可证。 Only per socket licensing is different.
仅每个套接字许可不同。
There are really only two options: 实际上只有两种选择:
Move the SQL server to a different port. 将SQL Server移到其他端口。 This is still the least secure, but will get you past most firewalls.
这仍然是最不安全的方法,但是会让您越过大多数防火墙。 Hopefully you aren't really sending actual sql across that wire... Encrypt it regardless.
希望您实际上并没有通过那条线发送实际的SQL。
Change the app to communicate via web services. 更改应用程序以通过Web服务进行通信。 This will take a little bit of time, but you have the ability to end up with a much more secure system.
这将花费一些时间,但是您最终可以使用更加安全的系统。 Encryption is still a must;
加密仍然是必须的。 and under no circumstance use this to send a sql statement across the wire.
并且在任何情况下都不要使用它来通过网络发送sql语句。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.