Defending Against Attacks

Several fairly straightforward defensive measures exist that you can take against all of the attacks mentioned in this chapter. Most of these points are covered in further detail in Chapter 16, "Securing Sybase," but for now, here is a brief overview:

  • Ensure that your server is patched up-to-date.

  • Protect your Sybase servers with firewalls.

  • Have a stringent firewall ruleset that filters outbound traffic as well as inbound traffic. Depending on your configuration there may be no need for the Sybase server to ever initiate an outbound TCP connection, or send any UDP traffic.

  • Apply a firewall ruleset on the Sybase server itself; for example, if you are using Linux, use IPTables. The IPSec mechanism in Windows server platforms also affords some measure of protection.

  • Never permit a web application to connect to the Sybase server as an administrative account (sa or sso_role).

  • If possible, use an alternative authentication method. The "standard" authentication mode is not sufficient.

  • If you are not using Java, don't enable it. In fact, deliberately removing some Java components might be a good idea.

  • Similarly, if you are not using external filesystem access, don't enable it.

  • If possible, run Sybase as a low-privileged user .

  • Apply appropriate filesystem permissions, to ensure that even if users were able to compromise the Sybase database, they would not be able to gain administrative control over the server itself.

  • Ensure that access to xp_cmdshell is appropriately restricted.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net