4

I would like to setup an MS SQL proxy server.

It should forward all requests 1:1 and make it possible to log them, and modify some of the requests or answers according to some replacement rules I setup.

Maybe some TCP IP networking software or general proxy can do this, but even better some specialised MS SQL tools.

We are still on SQL Server 2005

mit
  • 1,914
  • 6
  • 29
  • 42
  • Why would a 'specialised MS SQL Tool' be better? – Greg Askew Mar 18 '13 at 16:54
  • @GregAskew Have a look at explunit's answer, he explains that the traffic is binary. A speciialised tool could analyse the binary content and understand or log/show/filter its text representation or even replace parts of it and reconvert. – mit Mar 18 '13 at 18:48
  • I found this question regarding http traffic, but maybe there is a better solution for this setup. http://security.stackexchange.com/questions/223/how-can-i-intercept-and-modify-http-requests – mit Mar 18 '13 at 19:00
  • There is a similar question in reverse engineering Q&A but looking to log the queries intercepting the application instead of using a network tool: http://reverseengineering.stackexchange.com/questions/1617/server-side-query-interception-with-ms-sql-server – sw. Aug 09 '13 at 20:58

1 Answers1

3

This is unlikely to work with standard networking software and regexes, since SQL Server uses binary protocol Tabular Data Stream (TDS).

You would probably need a specialized application using something like FreeTDS or jTDS to decode, modify, forward, and respond to the requests.

If security is your concern, there are several commercial products offering database firewall features. For example, Audit Vault and Database Firewall from Oracle (yes it works with SQL Server too) or Database Firewall from GreenSQL.

From an architecture perspective, if this is a brand new application being envisioned, you may want to look at not exposing the SQL server directly but handling this kind of logic at the web service layer.

EDIT: it's possible to have SQL Server use HTTP endpoints (SOAP) for specific items, but this feature is deprecated and was removed in SQL 2012, so you should not count on it as a well-supported feature. Their recommendation is to handle this at the web service layer using WCF.

explunit
  • 289
  • 2
  • 11
  • Regarding the security of the connection, it is already in a secure environment. But maybe we could use the oracle firewall tool in another setup some day. Looks promsing. – mit Mar 18 '13 at 18:42
  • Wouldn't it be possible to configure SQL Server to use text instead of binary? – mit Mar 18 '13 at 18:43
  • added text above re http endpoints. I'm not an expert on the SQL firewall products, but I suspect they have a lot of logging features. – explunit Mar 18 '13 at 18:49
  • I forgot to mention that we are using SQL Server 2005 with the application – mit Mar 18 '13 at 18:58
  • I just noticed that the oracle product has a "substitute" mode. And it works on sybase, which means it could operate correctly on MS SQL 2005. I am going to try out what it can do for me – mit Mar 18 '13 at 20:24