Databases Reference
In-Depth Information
tion service. If an attacker sends random data, he or she can overwrite sys-
tem memory and bring the database down, causing a denial-of-service
attack. If an attacker is more sophisticated, then specially crafted code can
be made to run as part of the database process, which is exactly what Slam-
mer does. The most important part of the attack is replicating itself and
sending
a lot
of packets on the network—propagating itself exponentially
using the network. If you want to get all the gory details, go to
www.techie.hopto.org/sqlworm.html.
3.6.2
Implementation options: Watch vulnerabilities
that can be exploited over the network
There's really nothing new beyond the best practices discussed in Chapters
1 and 2. However, many hackers are network-savvy, and many of the worst
attacks over the past couple of years used malformed packets. This is not
only relevant to SQL Server; there are also numerous listener vulnerabilities
in Oracle that are easy to exploit (see Oracle security alerts 34, 38, 40, 42).
Therefore, watch network vulnerabilities closely and apply patches quickly.
3.7
Use firewalls
Firewalls can help you limit access to your database. You have the choice of
using a conventional firewall or a specialized SQL firewall. If you use a con-
ventional firewall, all you can only filter on IP addresses and ports—fire-
walls can only help you with addresses that exist in the TCP/IP header.
SQL firewalls, on the other hand, can help you set policies that are based
not only on IP addresses but also on SQL commands, database users, appli-
cation types, and database objects. You'll learn more about SQL firewalls in
Chapter 5.
If you have an Oracle environment and plan to use a firewall, then you
should be aware of a possible pitfall that involves redirection. Most data-
bases listen on a single port and communicate with the clients on a single
port. This is true for SQL Server (1433), DB2 UDB (50000), and Sybase
(4100—these are all the default ports and may be changed at will). This is
also true for Oracle on most platforms. However, sometimes Oracle redi-
rects traffic—after the client engages the listener, it may be told to redirect
to another port on which the rest of the session will occur. This is the
default behavior for Oracle on Windows platforms, and it can be enabled in
other operating systems (although I have never seen it being done on a
UNIX system).
Search WWH ::
Custom Search