Encryption - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

includes support for protocols such as Oracle's TNS and Microsoft's and

Sybase's TDS. But most important, it is a great TCP/IP sniffer. Note that

while the technically correct term is a

, and while

“sniffer” is trademarked by Network Associates (now McAfee Inc.), most

network professionals still use the term

network protocol analyzer

. Also note

that Ethereal is just one possible sniffer, and there are numerous other such

products—some free and some for which you have to pay.

Let's move on and see what kind of eavesdropping we can do using these

tools. As an example, suppose that I have an Oracle 10g server and I con-

nect to it using SQL*Plus. I can trace TCP/IP connections on the database

server, on the client machine running the SQL*Plus, or on any machine

that can see these communication streams (e.g., a machine that is con-

nected to a hub along with the client or the server or a machine that is get-

ting mirrored traffic). If I want to see all TCP/IP traffic coming into the

machine, I can use the following tcpdump command (in this case on

Linux):

sniffer

or

network sniffer

tcpdump -i eth1 host goose

This command says that I want to see traffic flowing through the eth1

interface (one of my network interfaces) and that I want only traffic coming

or going from the host named goose. Tcpdump has many filtering rules: for

example, I can filter on a port (e.g., port 1433 if I am trying to sniff

Microsoft SQL Server traffic), but for now filtering on the host is enough.

The output I get from tcpdump looks as follows:

15:10:43.323110 192.168.1.168.4326 > goose.guardium.com.1522: S

3477922729:3477922729(0) win 64240 <mss 1460,nop,nop,sackOK>

(DF)

15:10:43.323236 goose.guardium.com.1522 > 192.168.1.168.4326: S

3856403494:3856403494(0) ack 3477922730 win 5840 <mss

1460,nop,nop,sackOK> (DF)

15:10:43.323736 192.168.1.168.4326 > goose.guardium.com.1522: .

ack 1 win 64240 (DF)

15:10:43.324860 192.168.1.168.4326 > goose.guardium.com.1522: P

1:244(243) ack 1 win 64240 (DF)

15:10:43.324876 goose.guardium.com.1522 > 192.168.1.168.4326: .

ack 244 win 6432 (DF)

15:10:43.349840 goose.guardium.com.1522 > 192.168.1.168.4326: P

1:9(8) ack 244 win 6432 (DF)

15:10:43.350464 192.168.1.168.4326 > goose.guardium.com.1522: P

244:487(243) ack 9 win 64232 (DF)

Implementing Database Security and Auditing

Search WWH ::

Custom Search

Home