Database services are essential in most organizations. As with other services you offer, you want to configure database access securely. Sybase is a relational database management system used by many organizations. The Gauntlet Firewall includes a proxy that securely allows connections between Sybase clients on the inside network and servers on the outside network.
This chapter discusses the concepts behind the Sybase proxy and explains how it works, how to configure the proxy, and how to use Sybase services in the following sections:
The Sybase proxy is an application-level proxy that provides configurable access control, authentication and logging mechanisms. The Sybase proxy, which runs on the firewall, passes Sybase requests through the firewall (at the application level), using rules you supply. You can configure instances of the Sybase proxy to service:
Sybase client-to-server communications
Sybase server-to-server communications
For each version of the Sybase proxy, you can configure the proxy to allow connections based on:
source IP address
source hostname
source port
destination IP address
destination hostname
destination port
Using these options, you can configure your firewall to allow Sybase clients on certain trusted hosts to access a Sybase server on an untrusted host. Employees working behind the firewall can access Sybase databases at customer sites. You can also configure your firewall to allow Sybase servers on opposite sides of the firewall to communicate. A Sybase replication server can communicate with another Sybase replication server on the other side of an intranet firewall.
You can configure the Sybase proxy to allow Sybase clients on untrusted hosts to access Sybase servers on your trusted networks. According to most security policies, including the Gauntlet Firewall default, it is not a good idea to allow such access to untrusted hosts. If you must allow this sort of service, consider using client-side password encryption. Consider limiting the databases and data to which users have access, because all of the data is transferred unencrypted.
The proxies log all successful and unsuccessful connection attempts and the amount of data transferred.
These access controls allow you to have more control over the connections to and from your system than you have without a firewall. The logging capabilities are also more extensive.
The firewall runs different instances of the Sybase proxy (syb-gw) as daemons on different ports for different Sybase applications. Whenever the firewall receives a Sybase request on one of these ports, the Sybase proxy checks its configuration information and determines whether the initiating host has permission to initiate this type of request. If the host does not have permission, the Sybase daemon logs the connection attempt and displays an error message.
If the host has permission, the proxy logs the transaction and passes the request to the destination host. The Sybase proxy remains active until either side closes the connection.
The default service groups do not allow either inside or outside hosts to use the Sybase proxy. The recommended configuration allows trusted hosts to access Sybase servers on untrusted networks. The recommended configuration does not allow untrusted hosts to access Sybase servers on trusted networks. While the Sybase proxy does perform checks to ensure that the packets appear to be Sybase packets, someone could spoof this protocol. The Sybase proxy does not perform any user authentication. You are relying on the authentication mechanisms of the Sybase server to control access to your Sybase server and its data.
To access the Sybase proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring the proxies to enforce your security policy, and enabling the proxy.
When planning Sybase proxy settings:
Determine which Sybase servers users need to access. Determine whether you want to limit access to particular a server or not. Obtain hostname or IP address information for each server.
For each server, determine the port(s) on which the server accepts connections.
Determine which external hosts can use these services.
Determine which internal hosts can use these services.
Configure the Sybase proxy to enforce your security policies.
To configure Sybase proxy settings:
Select the syb-gw configuration to modify the default settings.
Click Modify.
The Modify Sybase Services window displays.
Provide information about the port on which you are running the Sybase service.
Port
Enter the port number on which the proxy runs.
Provide other optional information about the source and hosts for the Sybase proxy.
Click OK.
Add or modify the interfaces file on the client (using a tool like sybinit or SQLEdit) to provide information about the Sybase server.
Specify the port number you selected for the Sybase proxy.
If you are using transparency (the default configuration), specify the hostname as the hostname of the actual system running the Sybase server. If you are not using transparency, specify the hostname as the IP address of the firewall.
If you are using server-to-server communications, configure your servers as clients. Consult your Sybase administration documentation for further information on configuring clients for accessing servers.