cancel
Showing results for 
Search instead for 
Did you mean: 

sqla startup switches to satisfy security audit

Former Member
13,692

Hi. As is becoming more common, one of our customers recently had a security audit.
Shortly after the audit, we received the text below in an email...

Vulnerability: Sybase Adaptive Server Anywhere (ASA) Ping The remote Sybase SQL Anywhere / Adaptive Server Anywhere database is configured to listen for client connection broadcasts, which allows and attacker to see the name and port that the Sybase SQL Anywhere / Adaptive Server Anywhere server is running on. Service: - CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)

Remediation Action: Switch off broadcast listening via the ‘-sb’ switch when starting Sybase.

What is the downside (if any) of using the -sb switch?

Should I recommend another switch, or include the -sb in a group of other switches?

Thanks,
Doug

Accepted Solutions (0)

Answers (1)

Answers (1)

VolkerBarth
Contributor

What version are you using?

I can't give any security recommendations - just tell about the "downside" in terms of changes needed for client apps:

AFAIK, when using -sb 0 ("stealth mode"), clients connecting over TCP/IP must specify the TCP/IP address in the connection string (or SQL CONNECT information) in order to be able to connect to the server.

For v12 clients, you can use the HOST connection parameter. For older clients, you will have to use the HOST protocoll option (and the DoBroadcast=NONE option, I guess).

In case the server is not using the default port (2638), you will also have to add the port number to the HOST connection parameter or add the PORT protocoll option.


In contrast, using "-sb 1" won't affect client connection logic but prevent the server from react to dblocate. However, I haven't checked whether it will stop reacting on port scans.


Just to add: Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting - tested with 12.0.1.3554...

VolkerBarth
Contributor
0 Kudos

FWIW: For general security questions, you might have a look at the following whitepaper:

Securing SQL Anywhere Server 10.

(However, it addresses the -sb 0 stealth mode just with a few lines.)