Oracle’s Transparent Network Substrate, TNS, is a database listener, a server process that listens for and accepts incoming connection requests from client applications, starting up database processes to handle subsequent client communications. TNS, which is also known as the SQL*NET listener, establishes and maintains connections between client devices and Oracle database services regardless of the network protocol used at each end, enabling, for instance, a client using IPX to communicate with a server that uses TCP/IP.
It is, however, vulnerable to buffer overflow and other DoS attacks, so much so that Juniper Networks Inc touted the fact that it had added the ability to inspect TNS traffic and write signatures for such exploits to the latest release of its intrusion-detection/-prevention offering, IDP 4.0.
Microsoft, on the other hand, says it has resolved the issue of vulnerabilities in the equivalent technology in SQL Server. This is no small claim from the company whose database was the target of the Slammer worm in January 2003, a buffer overflow exploit that played havoc with 75,000 systems in just 10 minutes. Keith Burns, database architect for Microsoft in EMEA, said it was that experience that made the company take make resolving the issue a priority.
Historically, things were worse on Microsoft, Burns said. We caused Slammer with a SQL Server vulnerability, which led Jim Gray, one of the gods of database technology, to get up and apologize to several thousand people in an auditorium.
That sobering lesson resulted in the Trusted Computing initiative at Microsoft, with the mindset for its product configuration switching to the answer is no, now what is your question? said Burns. In other words, they should ship with access and connectivity features switched off, requiring admins to switch them on, rather than the other way round. By way of example, he cited the fact that the default setting is to have no demo database on the same SQL Server production box, where previously that would have been possible, so that an admin has to go in and make the change. Another example Burns cited was that SNMP mail from the database is now switched off by default, though it can be allowed.
Similarly, the SQL Browser Service on the server can makes known the presence of a database on the network and which port its on, but it can be turned off, so that anyone trying to break in needs to know the IP address of the database and the number of the port to which it is attached to mount an attack. Port scanning alone would not reveal that information.
Another example is that the low-end version of the database, SQL Express, is available free for ISVs to embed into their apps as the native DB, the TCP/IP endpoint function is disabled as the default setting, because SQL Server is often only a single-user product anyway and so doesn’t need a door open for other clients to communicate with it.
Burns said, we’ve been bitten once, and so we thought through the whole architecture and made changes so people can’t exploit vulnerabilities. As evidence of that, he cited the fact that SQL Server 2005 has been available since November and there have been no security patches so far.
TNS gives out information about what services are running, [whereas] we’re starting to think that volunteering too much information is not a good thing, said Burns, explaining that the change meant tightening up the company’s listener technology. To put extra distance between now and then, Microsoft even renamed it, from Network Libraries for SQL to the SQL Server Network Interface Protocol. The listener now runs at a lower privilege level than SQL Server itself, so if it is compromised, it can’t do damage, he said.
