THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Arnie Rowland

Discussion of issues related to SQL Server, the MSDN SQL Support Forums, the complex interplay between Developers and SQL Server Administrators, and our sometimes futile attempts to have a 'normal' life.

You HAVE to Trust, you MUST Verify -and that may still not be enough!

In Brian Kelly's recent blog post, he makes an excellent case outlining why there are few options but to 'Trust' SQL Server Administrators. And then he goes into excellent detail explaining that it may be impossible to completely 'prohibit' disruptive behavior, and that one should establish a robust auditing of security events.

And it is not just the SQL Server Administrators, or the network administrators that require ‘trust’. It is anyone that has access to the ‘wire’.

A while back I was working on a project that had to meet a HS/FIPS standards that mandated that all data in transit be encrypted. I recall sitting in a meeting where, in response to my request for the establishment of encryption, (possibly IPSec) between the web farm and the data cluster, the director of the infrastructure teams bluntly stated that it would not happen because 'we trust our people'. There was continued resistance to finding any alternatives to meet the encryption requirement. The network administrators were firmly opposed to having packets on ‘their wires’ that they could not ‘look into’. There were attempts to find some manner of ‘waiver’ from the standards. My arguments about the difficulty involved in discovering passive sniffers, or that anyone with access inside the firewall could easily install an ‘unknown sniffer’ were summarily dismissed as ‘overly concerned’. My team continued moving ahead in preparation to the time when encryption deadline became inescapable.

A few months later, all IT infrastructure staff were required to undergo new background security checks. I was not surprised that some of the 'trusted people' abruptly resigned or were terminated. (I've noticed that about 15% of IT staff seem to either refuse to submit to, or fail security checks. Sometime termination is for issues that would not have prevented the initial hire, but became mandated since the issues were not disclosed on the application. Sometimes just 'youthful indiscretions'...

And the data in transit was finally encrypted.



Published Friday, February 20, 2009 2:22 PM by ArnieRowland
Filed under: , ,



Brian Kelley said:

I understand where the network guys are coming from. I've had to do reams of packet analysis myself and I know how frustrating this can be, especially when you're trying to determine request/response headers for HTTP traffic. However, basic analysis such as whether the packets are malformed, whether or not you're seeing the handshake, etc., can be seen regardless. So using encryption is typically not an issue. Besides, there are numerous horror stories of finding a small device plugged into the span port of a switch and no one knew how long it had been there. So better safe than sorry.

February 20, 2009 5:13 PM

James Luetkehoelter said:

That's a great post by Brian. In my experience there is way more "refuse to submit" out there than 15%. People that know enough about the technology side of it find ways around any policy-based (literal policy) regulations within a company to do what they need to do.

In many cases they mean no harm - but every compromisable account establishes a security threat. The last place I worked had some security "policies" that were not enforced in any way, and frankly I could have done anything to them at any time in any way I chose. As could  dozens of others that didn't know many of the implications that they were inadvertantly exposing. Sad. And a hacker's dream. There wasn't even physical security - anyone could have walked into the building at any point - the only thing sealed was the server room, but with a little ingenuity one could remote into anything anywhere in the world.

My real question is - will anyone ever get it until they are severly compromised?

February 20, 2009 11:41 PM
New Comments to this post are disabled
Privacy Statement