6.8 Run a host and/or network-based packet firewall

Information

Sybase ASE can be configured to listen on a variety of network transports. By default it will
listen on TCP and named pipes. Though the default TCP port is 5000, if there are multiple
server instances running on a single host, there will be multiple listening ports. Dynamic
listeners can also be set up via the sp_listener stored procedure.

It is recommended that a host and/or network-based firewall is configured to limit access
to the database server port. The default Windows firewall present on Windows XP and
above may be sufficient depending on your organizations requirements. Otherwise a
solution with greater configurability and auditing capabilities is recommended.

Rationale:

It represents security best practice to segregate hosts on the network by role. Furthermore
it is prudent to use firewalls, both to protect the database servers from the rest of the
network, and to protect the rest of the network from the database servers in the event of a
compromise.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Run a host and/or network-based packet firewall to limit access to the database
server port based on IP address.

See Also

https://workbench.cisecurity.org/files/1612