Operating System

  1. Apply host- and network-based packet filters.

    It makes sense to implement some kind of host-based network packet filtering mechanism, to ensure that only legitimate hosts can connect to the Sybase server. This will also help protect the base operating system that Sybase is installed on from other security problems unrelated to Sybase. Finally, it might help protect the rest of your network from further compromise should the Sybase server be successfully attacked . In general, IPTables (Linux) or the IPSec filtering rule set mechanisms that are built into Windows are sufficient.

    It also makes sense to use network-based packet filters, both to protect your Sybase servers from the rest of your network, and to protect the rest of your network from your Sybase servers.

  2. Use a low-privileged account to run Sybase.

    If possible, use a low-privileged account to run the Sybase service/daemon. This is the default on some platforms but not others. The privileges required by Sybase vary from platform to platform, and will vary depending on what you are using your database forbut it is worth investing the time to determine how much you can restrict the user that Sybase is running as.

  3. Run Sybase in a chroot jail.

    Where your platform supports it, consider running Sybase in a "chroot" jail. This will restrict the files that the Sybase process has access to, which can be an extremely effective security measure. For more information on chroot, check out the chroot manual pages for your operating system.

  4. Restrict Sybase access to the filesystem.

    As a part of your lockdown , it is wise to restrict Sybase's level of access to the rest of the filesystem. If Sybase is running as a non-administrative user, this should be a fairly straightforward matter.

  5. Restrict other users' access to the Sybase directory.

    As an additional file access lockdown, you might want to restrict the level of access that other users have to the Sybase directory structure. If other users can read and write files in the Sybase directory structure, they may be able to gain control of Sybase, or perhaps read or modify data that they should not have access to.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net