|
Hi. As is becoming more common, one of our customers recently had a security audit. Vulnerability: Sybase Adaptive Server Anywhere (ASA) Ping The remote Sybase SQL Anywhere / Adaptive Server Anywhere database is configured to listen for client connection broadcasts, which allows and attacker to see the name and port that the Sybase SQL Anywhere / Adaptive Server Anywhere server is running on. Service: - CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00) Remediation Action: Switch off broadcast listening via the ‘-sb’ switch when starting Sybase. What is the downside (if any) of using the -sb switch? Should I recommend another switch, or include the -sb in a group of other switches? Thanks, |
|
What version are you using? I can't give any security recommendations - just tell about the "downside" in terms of changes needed for client apps: AFAIK, when using -sb 0 ("stealth mode"), clients connecting over TCP/IP must specify the TCP/IP address in the connection string (or SQL CONNECT information) in order to be able to connect to the server. For v12 clients, you can use the HOST connection parameter. For older clients, you will have to use the HOST protocoll option (and the DoBroadcast=NONE option, I guess). In case the server is not using the default port (2638), you will also have to add the port number to the HOST connection parameter or add the PORT protocoll option. In contrast, using "-sb 1" won't affect client connection logic but prevent the server from react to dblocate. However, I haven't checked whether it will stop reacting on port scans. Just to add: Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting - tested with 12.0.1.3554... FWIW: For general security questions, you might have a look at the following whitepaper: Securing SQL Anywhere Server 10. (However, it addresses the -sb 0 stealth mode just with a few lines.)
(25 Feb '12, 12:44)
Volker Barth
|
IMHO, any security-related recommendation is only useful when the possible risk is specified.
So, what is the risk you (or your customers) try to minimize? Do you fear any DOS against these ports, or do you see a risk that malicious users could try to connect to the server once they have noticed its existence?
Hi Colleagues,
Regarding the finding, Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting
We have a customer who is concerned that this is listener is still visible.
Is there any working solution to really hide/protect this ?
If "-sb 0" is specified, the server will still bind to the UDP port, but will not respond to UDP requests from clients. There is no other use for this UDP port - it cannot be used to access the database server.
If "-sb 0" isn't specified, the only information available through the UDP port is:
By using '-dh' option, database information can be hidden from broadcast requests, and '-sb 0' switch can turn off UDP responses completely. There is no other information that can be gained via this port.