Re: Sybase Proxy for FireWall-1 ?

["Ryan Russell" <Ryan.Russell () sybase com>]

> Consider this setup:
>
> Web server in a DMZ, accessible from the Internet by the public.
>
> Sybase Open Server database runs on a server in another DMZ of the same
firewall.
> Web server queries this database (Cold Fusion and Sybase Open Client)

Yes, I've seen similar setups.

> I am looking for a proxy that allows to control the Sybase queries. This proxy
should do more than just opening a port, e.g. make sure that no data is modified
on >the database.

I've seen two claims to app-level proxies for the TDS protocol.  Neither source
provided me
with any info when I requested it.  If memory serves, one of them was included
(or available?)
with Gauntlet.  Another couple of guys on the FreeTDS group are looking at doing
something
along those lines.  None of the ones I've heard of specifically claim to be able
to make things
read-only.  If you outlaw stored procs, and have the source for the TDS proxy,
you could
probably just limit it to select statements.  If you need stored procs, there
won't be any good
way for a proxy to know if the stored proc does updates or not.

> In my understanding, Sybase keeps it's protocol specs proprietary which makes
it probably hard for a firewall vendor to do a good job.

We're about to release the specs, and open-source OpenClient.   Real Soon Now.
Seriously, we are... I think our legal department is just taking their time.
Current
talk is to get the stuff to the FreeTDS guys, but it would be available to
anyone.

> Checkpoint's FireWall-1 offers some Sybase-filters (they claim to cooperate
with Sybase), however I was not able to get more information so far on what this
filters >exactly can do for me (neither by Sybase nor by Checkpoint).

http://www.checkpoint.com/products/technology/sqlserver.html

I found this in a few seconds by using the search feature on
Checkpoint's web site.  I'm curious who you asked at Sybase
and why that process is broken.  I wrote the instructions at
the URL above, and passed them along to Checkpoint.  We
can't have a pre-defined service listed in the GUI because we
don't run on a fixed port.

Incidentally, all this does is open a port, just like you said you didn't
want.

> Can anyone give me this information?
> What else can I do in order to enforce my policies by the firewall?

I don't know that there is a good solution available right now, given
your requirements.  Are you able to take advantage of the security
features built into the SQL server itself?  Sadly, I'm not a Sybase expert
and can't speak much to that part.

                         Ryan

P.S.  FreeTDS at: http://metalab.unc.edu/freetds/