Firewall Wizards mailing list archives
Re: Sybase Proxy for FireWall-1 ?
From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Tue, 18 May 1999 00:15:50 -0700
Consider this setup: Web server in a DMZ, accessible from the Internet by the public. Sybase Open Server database runs on a server in another DMZ of the same
firewall.
Web server queries this database (Cold Fusion and Sybase Open Client)
Yes, I've seen similar setups.
I am looking for a proxy that allows to control the Sybase queries. This proxy
should do more than just opening a port, e.g. make sure that no data is modified on >the database. I've seen two claims to app-level proxies for the TDS protocol. Neither source provided me with any info when I requested it. If memory serves, one of them was included (or available?) with Gauntlet. Another couple of guys on the FreeTDS group are looking at doing something along those lines. None of the ones I've heard of specifically claim to be able to make things read-only. If you outlaw stored procs, and have the source for the TDS proxy, you could probably just limit it to select statements. If you need stored procs, there won't be any good way for a proxy to know if the stored proc does updates or not.
In my understanding, Sybase keeps it's protocol specs proprietary which makes
it probably hard for a firewall vendor to do a good job. We're about to release the specs, and open-source OpenClient. Real Soon Now. Seriously, we are... I think our legal department is just taking their time. Current talk is to get the stuff to the FreeTDS guys, but it would be available to anyone.
Checkpoint's FireWall-1 offers some Sybase-filters (they claim to cooperate
with Sybase), however I was not able to get more information so far on what this filters >exactly can do for me (neither by Sybase nor by Checkpoint). http://www.checkpoint.com/products/technology/sqlserver.html I found this in a few seconds by using the search feature on Checkpoint's web site. I'm curious who you asked at Sybase and why that process is broken. I wrote the instructions at the URL above, and passed them along to Checkpoint. We can't have a pre-defined service listed in the GUI because we don't run on a fixed port. Incidentally, all this does is open a port, just like you said you didn't want.
Can anyone give me this information? What else can I do in order to enforce my policies by the firewall?
I don't know that there is a good solution available right now, given your requirements. Are you able to take advantage of the security features built into the SQL server itself? Sadly, I'm not a Sybase expert and can't speak much to that part. Ryan P.S. FreeTDS at: http://metalab.unc.edu/freetds/
Current thread:
- Sybase Proxy for FireWall-1 ? Martin Hauser (May 17)
- <Possible follow-ups>
- Re: Sybase Proxy for FireWall-1 ? Ryan Russell (May 18)
- Re: Sybase Proxy for FireWall-1 ? ark (May 19)