Author |
Topic |
bouno
Starting Member
23 Posts |
Posted - 2002-06-18 : 20:22:06
|
Hello all,Can anybody recommand me an encryption and anintrusion detection system that you may use or existfor MSSQL server 2000?thanks for your time.bouno |
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-18 : 21:28:29
|
HiCan you give a little more information ?What do you want to encrypt ? Data, or the network communications ?I am taking a guess at network seeing as you are talking about an IDS as well.I use Snort for an IDS, it works well and the price is right. I recommended it to someone on these forums a few weeks ago and within a few hours he had tracked down someone trying to get into his system.It sounds like you are onto some good security thinking, if you tell me what you are trying to do I am sure I can be more help.DamianEdited by - merkin on 06/18/2002 21:28:49 |
|
|
bouno
Starting Member
23 Posts |
Posted - 2002-06-19 : 12:09:05
|
Damian,I need both tools to protect MSSQL server's DATAIf i can find a tool that combines both(data and network communications) it will be the best.I heared that some programs protect just the data, othersjust network communications and i guess others may combineboth(encryption and IDS) I don't have a clear view of the market just for this reason i raised in general the question for all the options and then decide whatis the best. Snort may be the solution. someone else recommands the dbencrypt and appdetective @ http://www.appsecinc.com/ what is your oppinion about these products?have you ever use it or you know something about?i appreciate your time,theodorequote: HiCan you give a little more information ?What do you want to encrypt ? Data, or the network communications ?I am taking a guess at network seeing as you are talking about an IDS as well.I use Snort for an IDS, it works well and the price is right. I recommended it to someone on these forums a few weeks ago and within a few hours he had tracked down someone trying to get into his system.It sounds like you are onto some good security thinking, if you tell me what you are trying to do I am sure I can be more help.DamianEdited by - merkin on 06/18/2002 21:28:49
Edit - Fixed quote tagEdited by - merkin on 06/19/2002 19:25:07 |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-19 : 19:34:40
|
HiI'm still a little unsure what you actually *want* to do. But here are some thoughts.If you do a search of these forums for encryption, you mayt come to the conclusion that encryption of data is more trouble than it is worth.It is resource (i.e. processor) intensive to encrypt and decrypt, plus you need to store keys somewhere. If you also look around at all the people who have figured out how to encrypt things then come asking for help because theu no longer have that data you might think some more about it.Basically, what it comes down to, is unauthorised people should not get access to your SQL Server to get the data in the first place. If they do get access to your server and your data is encrypted, then it probably won't take too long to decypt because the encryption kay has to be accessable somewhere.So, I feel you are better off concentrating on the security of your server itself. That means things like :1. IDS, you are on to that already.2. Strong passwords.3. Security policy on DB objects, that is, users should not access data unless via stored procs etc4. Firewall off your database server from the internet and, if need be, the rest of your network. If you are using ASP then the webserver needs access to the DB server and that is just about it.5. Use VPN tunnels to get access to your server for maintainance, VPN is pretty highly encrypted and should be safe.Now, which of those options is right for you I don't know, but I would spend more time on this stuff than encypting your data. Because, if you do that stuff right, no one will get to your data. If you do it wrong, then the encryption isn't going to help you all that much.Hope that helpsDamian |
|
|
bouno
Starting Member
23 Posts |
Posted - 2002-06-19 : 21:08:07
|
Damian,I agree with you but can you explain a litle on the following pointswhat do you mean?1) Security policy on DB objects, that is, users should not access data unless via stored procs etc 2) Firewall off your database server from the internet and, if need be, the rest of your network. what is the price for snort and Can i install the snort on the database server? I want to watch the intrusions just on the database server.Honestly i appreciate your time and your thoughts.bouno |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-19 : 21:25:29
|
HiSecurity policy on DB objects :Users should not be able to select from or update database tables. Instead, your application should have stored procedures or views for all data access. Then you give users permissions to the stored procedures or views and deny them access to the source tables.This way, they only get to see what you want them to see.Firewalls : You haven't said yet what the application for your SQL Server is. If it was ASP, then users don't need network access to your database at all, only the web server does. If you run a client / server app your needs may be different. I am guessing here because you haven't told me. Basically it comes down to restricting access to anything that is not specifically needed.IDS : Snort is a free, open source product. You can run it on the same server but I wouldn't recommend that.I would suggest getting a firewall / IDS Linux distribution like IP COP. This will let you firewall off your server and only open up specific ports. It runs Snort at the same time which will identify intrusion attempts.Making more sense now ?Once again, if you give me specific information, I can give you more specific answers.Damian |
|
|
bouno
Starting Member
23 Posts |
Posted - 2002-06-19 : 21:36:55
|
i don't trust the free do you? |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-19 : 21:42:32
|
YesSnort is great and linux makes a great firewall. A watchgaurd firebox is running linux, they contributed the firewall code back to the Linux source.If you really want to spend $20, 000 on a Computer Associates IDS you are welcome to though.Damian |
|
|
bouno
Starting Member
23 Posts |
Posted - 2002-06-19 : 21:48:20
|
but i am running the sqlserver on a win2k platform. |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-19 : 22:07:54
|
ObviouslyWhat I am suggesting is that you set up a second box for firewalling and IDS.But once again, seeing as I don't know what you are trying to achieve, I am guessing.Damian |
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2002-06-19 : 22:41:44
|
You can actually get Snort and run it on windows, and you can log the results to SQL Server. But it can be a pretty intensive process, especially if it is logging attempts on a webserver as well. Also, if your box gets compromised, it is a trivial step to delete the IDS logs. This is why IDS is usually a separate box.Damian |
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2002-06-19 : 23:44:55
|
bouno,Merkin is giving you excellent adive here..Go out and buy a 2nd hand 486 with 16Mb of RAM and another network card (About $40 all up).. Install Linux and IP COP, jobs done....DavidM"SQL-3 is an abomination.." |
|
|
bouno
Starting Member
23 Posts |
Posted - 2002-06-20 : 20:34:59
|
byrmol,Merkin,sounds great. looks like we solved a serious problemhere, almost free. thanks for the ideas. |
|
|
|