Your database holds all of your data.  If someone was to great into your database server they would have access to view, and possibly delete all your data forcing you to restore your data from your backup.  In a perfect world there would be no database servers directly accessible from the Internet.  There is pretty much no reason for database servers to be directly accessible from the Internet.

If your servers are CoLo’d then setup a VPN between your office and the CoLo, or VPN directly into the CoLo.  There are some hosting providers which prefer to setup the servers on public IPs, however most of them will if requested use private IPs and configure a Site to Site VPN connection for you.

Pretty much the only times that a database needs to be on the Internet would be if you are replicating data between servers as this will typically require that at least one of the servers be on the public Internet.  SQL Service Broker can need to be on the public Internet as well.  However in both of these cases, you don’t need to give the server a public IP.  You can give the server a private IP, and NAT the server from the Internet to the private IP.  However make sure that only the correct port or ports are open through the firewall.

In Oracle this should be done by setting up a new listener.  In SQL Server this is done by setting up a new endpoint either for general connection, or in the case of Service Broker an Endpoint is used to connect to, which listens on a seperate TCP port.  When setting up these listeners or endpoints make sure that only the accounts which need to have access to them have access.  This way the minimal attack surface is avaialble from the Internet.  In addition you will want to setup your firewall or router ACLs to allow only the required public IP addresses to have access to the listener or endpoint.

With your database being publicly available attack scripts could attack for it, or people could manually try and break in.  With SQL Server running in mixed mode, and with Oracle there are accounts which can be brute forced which have well known usernames such as system and sa.  When SQL Server is running in Windows only mode breaking in is harder, but not impossible.

Denny

Installing a router also uses a technology called Network Address Translation (NAT) to mask the actual IP address that your computer is using from the internet.  The router assigns you what is called a private IP address, instead of the public IP address that your Internet Service Provider provides you.  This is just another way that the router can protect you as the attacker can only attack the firewall of the router, and isn’t able to connect to your home computer.

These home routers are very easy to install, usually in just 10-15 minutes.  When you purchase the router it will usually come with a CD or DVD which has some software to assist you in configuring your router.  This will secure the router so that it can’t be accessed with the default username and password.  Be sure to change the default password to something else as the default passwords are well known by the people who may be trying to break into your computer.

If you purchase a router with wireless and don’t need the wireless functionally be sure to disable the wireless functionally.  Most routers will allow you to disable the wireless.  If they don’t, be sure to secure the wireless using WEP or WPA encryption.  WPA is a much stronger technology and should be used if it is available.  Leaving the wireless unsecured will allow anyone driving by to access your wireless network and access your computer (if it is turned on) or access the internet using your internet connection which could lead to any accusations which should be against them to being levied against you.  (And no you can’t leave your wireless unsecured and doing this you shouldn’t be and use the WiFi wasn’t protected excuse.  That was already tried in court in the US and the judge rejected that argument.)

That said, if you can afford the computer and the internet connection, you can afford the router.  So go buy one already.

Denny