ODBC security?

[Sanjay]

Hello,
Is there a way to secure an odbc connection from one box to another.
Explanation:

Box A has an ODBC datasource that points to Box B's IP address.
Box B runs MS SQL Server 2000

I am assuming I can't use SSL, since ODBC is running at the same layer?

Thank you for your help,

Sanjay
please cc me at
svp011467@yahoo.com

[Nikolay Stanchenko]

Hello!

ODBC is only interface for single database access to different Database
Servers. Security is part of communication between server and database
client. And ODBC layer uses client API.

For ex. ODBC->Net8 ----- Oracle Server.

If you want to secure communications you can use build-in security
components of database server. Also you can use software like as stunnel
to organize SSL encryption channel between client and server. In that case
you can use digital certificates to identify client and server.

Also there is way to develope special security ODBC-proxy that retransmits
ODBC request to special application server and then from this server uses
standard ODBC calls - but it's no easy way.


Nikolay Stanchenko
Brainbench MVP for Internet Security

[Ravindra]

How to encrypt data at the ODBC layer, like say userID and password?

"Nikolay Stanchenko" <sheldy@cea.ru> wrote:
>
>Hello!
>
>ODBC is only interface for single database access to different Database

>Servers. Security is part of communication between server and database
>client. And ODBC layer uses client API.
>
>For ex. ODBC->Net8 ----- Oracle Server.
>
>If you want to secure communications you can use build-in security
>components of database server. Also you can use software like as stunnel
>to organize SSL encryption channel between client and server. In that case
>you can use digital certificates to identify client and server.
>
>Also there is way to develope special security ODBC-proxy that retransmits
>ODBC request to special application server and then from this server uses
>standard ODBC calls - but it's no easy way.
>
>
>Nikolay Stanchenko
>Brainbench MVP for Internet Security
>
>

[ObiWan]

> Box A has an ODBC datasource that points to Box B's IP address.
> Box B runs MS SQL Server 2000

In the case of MS SQL server (and other DB which use
standard TCP ports to communicate) you'll need some
kind of "tunnelling" program which will take care of
encrtypting the communications between the client
and the server; the idea is the following:

install a "tunnel client" on the local machine

install a "tunnel server" on the SQL machine

configure the tunnel client to talk to the server
and the server to map port 1433 on server side
so that the tunnel will end up to the SQL server

configure the ODBC DSN on the client to point
to the LOCAL machine where the tunnel client
is listening (e.g. 127.0.0.1:1433)

now, whenever you start an ODBC connection
the "tunnel client" will encrypt your request and
pass it up to the server which will then decrypt
it and send it to the SQL server; same thing for
the data being returned - final result *every*
communication between the ODBC client and the
SQL Server will be completely encrypted !

A good (open source) program to accomplish
this task is ZeBeDee; the home page is:

http://www.winton.org.uk/zebedee/

just to clear up things:

ODBC driver
pointing to
127.0.0.1
port 1433
|
ZeBeDee client
listening on 1433
and talking to
remote ZeBeDee
|
|
| encrypted tunnel
| (could be internet)
|
|
ZeBeDee server
mapping to 1433
on local SQLSRV
|
SQL server

I hope it's clear; in any case you can find more
informations reading the ZeBeDee documents

Regards