As this Question is about to disappear off the main screen (sorry if someone was already planning on answering them in that question), can anyone from Sybase answer two of the questions asked in the comments.

So just to be clear, the only way we'll ever be able to secure v10 databases is to never use jConnect or Open client after stopping them all and adding that to the start-up ?

And

What exactly is a "TDS secure login", and can I use a TDS connection without a secure login? - If the latter is true (and also the default - which I guess), then for these connections no (additional) security problem has been noticed, and why should one worry then?

AFAIK, a secure login would require the use of jConnect's ENCRYPT_PASSWORD connection property - but I'm not securesure...

Thanks

asked 14 Aug '12, 08:31

Daz%20Liquid's gravatar image

Daz Liquid
905202541
accept rate: 28%

edited 14 Aug '12, 08:44

Volker%20Barth's gravatar image

Volker Barth
40.0k361549819

1

FWIW, I usually simply add a comment on a question that is bound to get "forgotten" to "re-activate" it - but in this case, the resume of the open detail questions seems really worthwhile...

(14 Aug '12, 08:34) Volker Barth
Replies hidden
1

Fully agree, but we seemed to be the only people paying attention to that question :-)

(14 Aug '12, 08:50) Daz Liquid

If you wish to secure your environment against all protocol-level attacks, you should never open up TDS connections and only use strongly-encrypted TLS/HTTPS connections instead. This is for all versions of SQL Anywhere, not just version 10 - see: http://dcx.sybase.com/index.html#1201/en/dbadmin/tds-conparm.html. Strongly-encrypted connections should always be used in any area where you are concerned about protocol-level security.

If you still require the use of TDS connections, you should apply the patch mentioned in the previous question for version 11/12. If you are using version 10, you should be looking at upgrading to version 11/12 as version 10 is End-of-Life'd.

If you require further specific details about your situation and your business exposure/relation to this bug, those details would be best discussed through a technical support case so we can better address your particular situation/environment and your work-around options with you directly.

permanent link

answered 16 Aug '12, 12:07

Jeff%20Albion's gravatar image

Jeff Albion
10.8k171175
accept rate: 25%

So if anyone is concerned about security (isn't everyone?) they shouldn't use jconnect or open client with v10 and to force this TDS should be disabled ? Or is there a way of using them without TDS ?

(16 Aug '12, 17:29) Daz Liquid
Replies hidden
1

FWIW... if both database client and database server are behind the firewall than this discussion is moot... which is generally the case; e.g., where an application server is the "database client".

(16 Aug '12, 17:52) Breck Carter
3

Daz, as I mentioned, if you are specifically concerned about your setup with SQL Anywhere version 10 and this bug, please open a technical support case - we can provide you with more details about your specific business exposure to this bug once we understand your specific environment. As Breck mentions, your actual architecture arrangement will affect your risk exposure to this bug.

TDS is not a required protocol to access the database server - e.g. if you are only using TDS for JDBC connections (jConnect), you may be in a position to switch to another JDBC driver (SQL Anywhere JDBC driver) and use protocol-level encryption instead via -ec and ENC=.

(Aside: Changing from jConnect to the SQL Anywhere JDBC driver is a good idea for other reasons like "performance benefits and feature benefits": http://www.sybase.com/detail?id=1037304 )

(17 Aug '12, 13:05) Jeff Albion

Ahh, that's much more helpful, I'll give swapping jConnect for the SQL Anywhere driver a try, I'm not sure why it's taken this long to get here but I think that'll do the trick, thanks for the help.

(19 Aug '12, 15:26) Daz Liquid

If this were 5 years ago, I would agree. But as this article points out, the firewall is a relic that hasn't been stopping attacks for a while. Since most bot-nets are infecting computers inside the firewall, it's probably a good idea to assume that any security that you would apply on the open internet also applies inside your own corporate network. Just a thought.

(19 Aug '12, 23:16) Jonathan Baker
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×119
×48
×39
×4
×4

question asked: 14 Aug '12, 08:31

question was seen: 4,379 times

last updated: 19 Aug '12, 23:16