Up Prev Next
From: Michael Peppler <mpeppler at MBAY dot NET>
Subject: Re: Indirect security question / off topic...
Date: Oct 16 1997 6:31PM
Tim Holt wrote:
> This may be (well, is) off topic, but in some respects seemed to be a good
> group to try...
> I've noticed that I can telnet to the port number of my Sybase server, but
> get no real responce from it. Does anyone have an analysis of the security
> risk to this? What could you do to someone elses machine if you knew this
> "hole" existed? We would like to utilize a Sybase connection on our web
> site, which is external to our firewall.
Interesting question. Sybase uses a protocol (TDS) to communicate
between the client and the server, and I'm pretty sure that this is a
binary protocol. The SQL that is sent is probably sent in clear text
but I don't know if it would be possible to emulate the protocol
with a telnet session (of course you still have to log on to
get a valid session where the SQL can be accepted).
> Also, kind of off/side topic: Is anyone using the encrypted "tunneling"
> capabilities of ssh (http://www.datafellows.com) for thru-firewall
> Sybase connectivity?
I haven't used it for that. I use ssh to connect to the site where I
work (from home) and use X over the connection, and that works
Michael Peppler -||- Data Migrations Inc.
firstname.lastname@example.org -||- http://www.mbay.net/~mpeppler