Man in the MIddle

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQLServerCentral.com » Editorials » Man in the MIddle

Man in the MIddle

Rate Topic

Display Mode

Topic Options

Author

Message

Steve Jones - SSC Editor

Posted Wednesday, April 28, 2010 8:47 PM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:19 PM
Points: 31,526, Visits: 13,863

Comments posted to this topic are about the item Man in the MIddle

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #912490

Hugo Kornelis

Posted Thursday, April 29, 2010 12:52 AM

SSCertifiable

Group: General Forum Members
Last Login: Today @ 2:48 AM
Points: 5,294, Visits: 7,232

Hi Steve!

SQL Server include a number of encryption technologies, TDE, SSL and more. And unlike Oracle, which charges for encryption features, these are included in the price of SQL Server.

Yes - but only if you buy Enterprise Edition.

The price Oracle charges for its security pack is high (and the idea is ridiculous, at least to me) - but not quite as high as the price a SQL Server customer with a Standard Edition has to pay to gain access to TDE.

Hugo Kornelis, SQL Server MVP
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis

Post #912580

Steve Jones - SSC Editor

Posted Thursday, April 29, 2010 7:39 AM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:19 PM
Points: 31,526, Visits: 13,863

True, TDE is an EE feature, which I think is a mistake. Many of the other encryption technologies are in all versions.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #912840

Sean Terry

Posted Thursday, April 29, 2010 7:41 AM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, April 03, 2013 3:19 PM
Points: 35, Visits: 311

Hugo Kornelis (4/29/2010)

Yes - but only if you buy Enterprise Edition.

It should be noted that SSL connection encryption is baked-in to all editions (including Express), which is the key player in preventing man-in-the-middle attacks. Wink

Post #912844

richj-826679

Posted Thursday, April 29, 2010 8:59 AM

SSC Rookie

Group: General Forum Members
Last Login: Wednesday, April 03, 2013 8:43 AM
Points: 32, Visits: 142

Sean Terry (4/29/2010)

It should be noted that SSL connection encryption is baked-in to all editions (including Express), which is the key player in preventing man-in-the-middle attacks. Wink

But only if you're using a properly signed cert as stated in the big yellow "Caution" area at http://msdn.microsoft.com/en-us/library/ms189067%28v=SQL.105%29.aspx

Then again, since SSL's been broken (google ssl md5 broken), I don't think it's a panacea for any business at risk of MITM attacks.

Rich

Post #912951

TravisDBA

Posted Thursday, April 29, 2010 10:29 AM

Ten Centuries

Group: General Forum Members
Last Login: Wednesday, June 12, 2013 10:46 AM
Points: 1,290, Visits: 3,001

TDE is a great new feature, but so is backup compression and using TDE essentially nullifies the other out. Try both together and see for yourself, although this is not recommended. Encrypted data compresses significantly less than equivalent unencrypted data. If TDE is used to encrypt a database, backup compression will not be able to significantly compress the backup storage. So, Mickeysoft gaves us two great new features in SQL 2008 we really can't use together. Also, please do keep in mind when using TDE that TEMPDB is automatically encrypted when you enable TDE on any database on a server instance and this can cause performance issues with non-encrypted databases using TEMPDB on that server. BigGrin

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ... BigGrin

Post #913067

Steve Jones - SSC Editor

Posted Thursday, April 29, 2010 10:36 AM

SSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:19 PM
Points: 31,526, Visits: 13,863

SSL doesn't solve everything, but it does reduce some people making attacks. That's why I mention learning more about other network protocols. Perhaps we ought to also be encrypting at an even lower network level using some sort of secure tunneling for clients of SQL Server.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #913073

SQLRNNR

Posted Thursday, April 29, 2010 1:27 PM

SSCoach

Group: General Forum Members
Last Login: Today @ 12:32 AM
Points: 18,855, Visits: 12,439

We recently had a vendor demo demonstrating an attack that is just as easy as MITM. Once attached directly to the server, he was able to then display the sa password. Apparently SQL server keeps the SA password in clear text in memory. If somebody logs on with the SA, it will stay there in memory - even after the connection is closed. Combine this with a MITM attack, and you have no data left to protect.

Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server 2008

SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp

Post #913218

« Prev Topic | Next Topic »

Permissions