Firewall Wizards mailing list archives
Re: Sybase Proxy for FireWall-1 ?
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Mon, 14 Jun 1999 01:22:43 -0700
Sorry for the late reply. It's actually possible to write a proxy for a Sybase server using only their exposed ctlib apis and the open-server model. A few years back, I worked on one that did cool things (like talking to a homegrown authentication server, and connection pooling by the proxy, and fine-grained access-control and auditing of all SQL statements.) -- S Ryan Russell wrote:
Consider this setup: Web server in a DMZ, accessible from the Internet by the public. Sybase Open Server database runs on a server in another DMZ of the samefirewall.Web server queries this database (Cold Fusion and Sybase Open Client)Yes, I've seen similar setups.I am looking for a proxy that allows to control the Sybase queries. This proxyshould do more than just opening a port, e.g. make sure that no data is modified on >the database. I've seen two claims to app-level proxies for the TDS protocol. Neither source provided me with any info when I requested it. If memory serves, one of them was included (or available?) with Gauntlet. Another couple of guys on the FreeTDS group are looking at doing something along those lines. None of the ones I've heard of specifically claim to be able to make things read-only. If you outlaw stored procs, and have the source for the TDS proxy, you could probably just limit it to select statements. If you need stored procs, there won't be any good way for a proxy to know if the stored proc does updates or not.In my understanding, Sybase keeps it's protocol specs proprietary which makesit probably hard for a firewall vendor to do a good job. We're about to release the specs, and open-source OpenClient. Real Soon Now. Seriously, we are... I think our legal department is just taking their time. Current talk is to get the stuff to the FreeTDS guys, but it would be available to anyone.Checkpoint's FireWall-1 offers some Sybase-filters (they claim to cooperatewith Sybase), however I was not able to get more information so far on what this filters >exactly can do for me (neither by Sybase nor by Checkpoint). http://www.checkpoint.com/products/technology/sqlserver.html I found this in a few seconds by using the search feature on Checkpoint's web site. I'm curious who you asked at Sybase and why that process is broken. I wrote the instructions at the URL above, and passed them along to Checkpoint. We can't have a pre-defined service listed in the GUI because we don't run on a fixed port. Incidentally, all this does is open a port, just like you said you didn't want.Can anyone give me this information? What else can I do in order to enforce my policies by the firewall?I don't know that there is a good solution available right now, given your requirements. Are you able to take advantage of the security features built into the SQL server itself? Sadly, I'm not a Sybase expert and can't speak much to that part. Ryan P.S. FreeTDS at: http://metalab.unc.edu/freetds/
Current thread:
- Re: Sybase Proxy for FireWall-1 ? Stephen P. Gibbons (Jun 15)