How secure will my home server be?

[vb3d]

Hi everyone,

I am planning to setup my old laptop as a server, and run a server application and install SQL Server on it.
The server will be listening to a specific port that I will be setting up port forwarding for in my router, and use No-IP to get static domain name.
I was wondering, how secure is this setup?
How easy/difficult for someone to hack into this server an delete or even read the data stored on the SQL server connected to my home network.
Also, is there a chance of getting into my other devices connected to the same network due to this, i.e my desktop?

Thanks in advance

 

[Red Squirrel]

I would not open up SQL directly to the internet. It's not really meant for that, it's more meant for a front end server to talk to. Ex: you open up port 80 for HTTP, and the HTTP server then talks to the SQL port, which could be on another machine that is internal to the network.

It's also a good idea to have internet facing stuff on another vlan. So if the box does get compromised they won't have access to your entire network. Ex: an exploit in Apache or something.

 

[vb3d]

Thanks Red Squirrel for the quick reply.
I am not good with networking, can you please tell me more details?
What do you mean by vlan?
The server application will listen to port let's say 55555 for connections.
So you advising to put the SQL Server on another machine
Do you mean something like this picture?

 

[Red Squirrel]

The SQL server can be on the same server as the app server, which is typical in smaller setups, but you only forward the application port (I'm going to guess it's a web server and say 80 but it does not really matter)

This way the internet traffic can't touch the SQL server directly, and it does not have to as the app server talks to it.

Vlans are a way of splitting up a network, each vlan will have it's own virtual interface at the router and be treated as a separate switch. It's something worth reading into but it does require higher end gear as most consumer stuff won't do it. You can get away without it, it's just that it will add a last layer of security if setup right.

 

[vb3d]

My app server is actually an exe app that runs on windows, and will be listening to a fixed port (ex 55555).
My worries is opening this port to the Laptop, so my question is:
In theory, is there a way of hacking into my server using this port and getting into my SQL Server?
Also another question
Becuase my home network will have public domain name through the No-IP.com service, does this put any of my devices connected to it at risk of being hacked?
I have 2 pc's and 2 phones.

 

[sonitravel09]

Technically speaking, you don't secure a server. You secure services, and you secure them from something.
So the answer to your question hinges entirely on what services you plan to run, and what you intend to expose it to.

 

[frowertr]

You're always at risk with anything connected to the net. The risk increasing as you start opening holes in your firewall for services that need outside access to the inside of your network. Generally, you'd put servers that need to be accessed from the outside (Internet) into a DMZ and on a different subnet than your LAN. You then create firewall rules to disallow all access from the DMZ interface to the LAN interface. If anything in the DMZ is compromised, the intrusion is limited to the DMZ only.

Is this just for you to access or is it for the general public? If it's just for you, I'd setup a VPN rather than open up ports specifically for that application. If you open up ports directly to that app, then your security risk depends on how well that program was written and hardened.

 

[hippovsmouse]

It's also a good idea to have internet facing stuff on another vlan. So if the box does get compromised they won't have access to your entire network. Ex: an exploit in Apache or something.

You are saying, that if his server is on it's own vlan, and that server gets a virus, that the virus cannot spread from that server to other machines on his network?

 

[frowertr]

I would doubt that his basic home router is capable of VLAN configuration much less any switch he has.

 

[hippovsmouse]

I would doubt that his basic home router is capable of VLAN configuration much less any switch he has.

maybe he has ddwrt on his router - i use it and there is vlan functionality (though i know little about it but have done some reading on it after viewing this thread)

is a vlan actually a viable security measure? i read that it's more to segment traffic

 

[frowertr]

Yes VLAN can be used as a security measure simply for the fact that it causes segregation. Its really useful if you want to separate traffic on the same subnet AND on the same switch.

I find subnetting easier to manage myself so I don't usually mess with VLANS. However, They are great for running a single cable drop to a VOIP phone and a computer.

Id say they are overkill for a home setup when subnetting can be a bit easier to setup assuming you have multiple configurable LAN ports.