As this Question is about to disappear off the main screen (sorry if someone was already planning on answering them in that question), can anyone from Sybase answer two of the questions asked in the comments.
And
Thanks asked 14 Aug '12, 08:31 Daz Liquid Volker Barth |
If you wish to secure your environment against all protocol-level attacks, you should never open up TDS connections and only use strongly-encrypted TLS/HTTPS connections instead. This is for all versions of SQL Anywhere, not just version 10 - see: http://dcx.sybase.com/index.html#1201/en/dbadmin/tds-conparm.html. Strongly-encrypted connections should always be used in any area where you are concerned about protocol-level security. If you still require the use of TDS connections, you should apply the patch mentioned in the previous question for version 11/12. If you are using version 10, you should be looking at upgrading to version 11/12 as version 10 is End-of-Life'd. If you require further specific details about your situation and your business exposure/relation to this bug, those details would be best discussed through a technical support case so we can better address your particular situation/environment and your work-around options with you directly. answered 16 Aug '12, 12:07 Jeff Albion So if anyone is concerned about security (isn't everyone?) they shouldn't use jconnect or open client with v10 and to force this TDS should be disabled ? Or is there a way of using them without TDS ?
(16 Aug '12, 17:29)
Daz Liquid
Replies hidden
1
FWIW... if both database client and database server are behind the firewall than this discussion is moot... which is generally the case; e.g., where an application server is the "database client".
(16 Aug '12, 17:52)
Breck Carter
3
Daz, as I mentioned, if you are specifically concerned about your setup with SQL Anywhere version 10 and this bug, please open a technical support case - we can provide you with more details about your specific business exposure to this bug once we understand your specific environment. As Breck mentions, your actual architecture arrangement will affect your risk exposure to this bug. TDS is not a required protocol to access the database server - e.g. if you are only using TDS for JDBC connections (jConnect), you may be in a position to switch to another JDBC driver (SQL Anywhere JDBC driver) and use protocol-level encryption instead via (Aside: Changing from jConnect to the SQL Anywhere JDBC driver is a good idea for other reasons like "performance benefits and feature benefits": http://www.sybase.com/detail?id=1037304 )
(17 Aug '12, 13:05)
Jeff Albion
Ahh, that's much more helpful, I'll give swapping jConnect for the SQL Anywhere driver a try, I'm not sure why it's taken this long to get here but I think that'll do the trick, thanks for the help.
(19 Aug '12, 15:26)
Daz Liquid
If this were 5 years ago, I would agree. But as this article points out, the firewall is a relic that hasn't been stopping attacks for a while. Since most bot-nets are infecting computers inside the firewall, it's probably a good idea to assume that any security that you would apply on the open internet also applies inside your own corporate network. Just a thought.
(19 Aug '12, 23:16)
Jonathan Baker
|
FWIW, I usually simply add a comment on a question that is bound to get "forgotten" to "re-activate" it - but in this case, the resume of the open detail questions seems really worthwhile...
Fully agree, but we seemed to be the only people paying attention to that question :-)