Common Database Vulnerabilities: Unprotected Network

The network is not an integral part of the database management system. So why is an unprotected network listed as a database vulnerability?

The Two Levels of Database Network Security

As someone owning or administrating a database server, you need to be aware of the common threads to your entire system. While you can argue, that the network is someone else's responsibility, that would overly simplify the matter.

I assume that your database server is behind the company firewall and not directly accessible from the internet. Having a database server that is accessible directly from the public internet is considered a bad practice. If you are in that position I urge you to revisit your application architecture.

If your server is behind the firewall, then network security means that you need to protect your network to keep intruders out. That indeed is not the job of the database administrator (unless the database administrator is also the network administrator). However, there is an important second part to this equation.

Most database servers including SQL Server by default communicate with their clients in an unprotected fashion. That means that a person with malicious intent can intercept all communication between the server and the client while on the same network. If he can witness an authentication handshake, the intruder can even take over an entire session and run his own commands against the database server with all the permissions granted to the intercepted user.

Network Encryption to the Rescue

For the above attack scenario to work, the intruder has to be connected to the same network as the database server. Therefore, you might think that you are safe, as your database servers are behind a firewall. However, roughly 80% of all attacks are (intentionally or unintentionally) executed by insiders (employees), that means by people that are already behind that same firewall.

Enabling TLS (Transport Layer Security) for your database server can go a long way in tightening your network security and preventing these types of attack. If you have not done so yet, now is the time to take action. Enable Encrypted Connections to your Database Engine now.

The Most Common Database Problems

An Unprotected Network is one of the most commonly encountered database vulnerabilities. In this series of posts, I discuss 10 of them. Below are the ones that are published so far: