SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Man in the MIddle


Man in the MIddle

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)

Group: Administrators
Points: 332138 Visits: 20119
Comments posted to this topic are about the item Man in the MIddle

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Hugo Kornelis
Hugo Kornelis
SSC-Dedicated
SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)SSC-Dedicated (34K reputation)

Group: General Forum Members
Points: 34624 Visits: 13125
Hi Steve!

SQL Server include a number of encryption technologies, TDE, SSL and more. And unlike Oracle, which charges for encryption features, these are included in the price of SQL Server.

Yes - but only if you buy Enterprise Edition.

The price Oracle charges for its security pack is high (and the idea is ridiculous, at least to me) - but not quite as high as the price a SQL Server customer with a Standard Edition has to pay to gain access to TDE.


Hugo Kornelis, SQL Server/Data Platform MVP (2006-2016)
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis
Steve Jones
Steve Jones
SSC Guru
SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)

Group: Administrators
Points: 332138 Visits: 20119
True, TDE is an EE feature, which I think is a mistake. Many of the other encryption technologies are in all versions.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Sean Terry
Sean Terry
SSC Veteran
SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)SSC Veteran (209 reputation)

Group: General Forum Members
Points: 209 Visits: 347
Hugo Kornelis (4/29/2010)
Yes - but only if you buy Enterprise Edition.


It should be noted that SSL connection encryption is baked-in to all editions (including Express), which is the key player in preventing man-in-the-middle attacks. ;-)
richj-826679
richj-826679
SSC Veteran
SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)SSC Veteran (225 reputation)

Group: General Forum Members
Points: 225 Visits: 152
Sean Terry (4/29/2010)


It should be noted that SSL connection encryption is baked-in to all editions (including Express), which is the key player in preventing man-in-the-middle attacks. ;-)


But only if you're using a properly signed cert as stated in the big yellow "Caution" area at http://msdn.microsoft.com/en-us/library/ms189067%28v=SQL.105%29.aspx

Then again, since SSL's been broken (google ssl md5 broken), I don't think it's a panacea for any business at risk of MITM attacks.

Rich
TravisDBA
TravisDBA
SSCertifiable
SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)SSCertifiable (6.2K reputation)

Group: General Forum Members
Points: 6152 Visits: 3069
TDE is a great new feature, but so is backup compression and using TDE essentially nullifies the other out. Try both together and see for yourself, although this is not recommended. Encrypted data compresses significantly less than equivalent unencrypted data. If TDE is used to encrypt a database, backup compression will not be able to significantly compress the backup storage. So, Mickeysoft gaves us two great new features in SQL 2008 we really can't use together. Also, please do keep in mind when using TDE that TEMPDB is automatically encrypted when you enable TDE on any database on a server instance and this can cause performance issues with non-encrypted databases using TEMPDB on that server.:-D

"Technology is a weird thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ...:-D"
Steve Jones
Steve Jones
SSC Guru
SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)SSC Guru (332K reputation)

Group: Administrators
Points: 332138 Visits: 20119
SSL doesn't solve everything, but it does reduce some people making attacks. That's why I mention learning more about other network protocols. Perhaps we ought to also be encrypting at an even lower network level using some sort of secure tunneling for clients of SQL Server.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)SSC Guru (145K reputation)

Group: General Forum Members
Points: 145637 Visits: 18652
We recently had a vendor demo demonstrating an attack that is just as easy as MITM. Once attached directly to the server, he was able to then display the sa password. Apparently SQL server keeps the SA password in clear text in memory. If somebody logs on with the SA, it will stay there in memory - even after the connection is closed. Combine this with a MITM attack, and you have no data left to protect.

Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw
Learn Extended Events

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search