Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
2. WhoAmI
Lazy Blogger
• Japan, Security, FOSS, Politics, Christian
• http://narudomr.blogspot.com
Food Lover
• Steak, Yakiniku, BBQ
• Sushi (especially Otoro)
• All Kinds of Noodle (Spaghetti, Ramen, Udon,
Kanomjean)
Head of IT Security, Kiatnakin Bank PLC
(KKP)
3. Agenda
What Are Database Firewalls?
Are there Open Source DB Firewalls?
What & Why Snort?
Implementation
Concerns
Q&A
4. Web/Web
Services
Custom
Applications
Business
Applications
How Databases Accessed?
Direct Access via Database
Protocols
• DBAs via query tools
• Fat client applications
Three-tier applications
• Internal users via Business
applications
Web applications
• Internal & External users via
browser interfaces
Application Interfaces
• Applications via Web
Services Interfaces
Browser Browser
DBA
SQL
Data
Thin Client
3 Tier App
Thick Client
2 Tier App
Thin Client
3 Tier App
Application
Interface
5. What are Database Firewalls?
Application Level Firewalls that monitor
databases to identify and protect against
database specific attacks that mostly seek to
access sensitive information stored in the
databases.
Deployed either in-line with the database
server (OR) near the network gateway
6. Database Firewall Functions
Policy Functions Details
Whitelist
Access Control
IP address, DB user, schedule (time)
IP address group, DB user group
Security policy group
Authority Control
Control by objects (Table, View)
SQL operation (DML,DDL ,DCL)
SQL sentence
Profile
Automatic security policy by self learning SQL query
Positive security based automatic Authority policy by Authority
Profile
Control SQL sentence form by Form Profile
Backlist
Pattern Rule Block/detect the user defined query pattern
Column Rule Block/detect the specific column of object
Audit
Archive &
Analysis
Logging all the SQL query.
Analyzing audit log & security log
Management
Central management for a several
Analyzing the database traffic & network traffic
Monitoring system usage
7. Are there Open Source DB Firewalls?
GreenSQL
• Cross Platform
• Rapid Deployment
• Well established
• Web application independent
• The only free security solution for MySQL
• User Friendly WEB GUI/Management tool
8. What is Snort?
Open source, freely available software except
for rules
Support Windows, Linux and Solaris
Sensors/actuators in a network
Signature based IDS/IPS
Rules defined to take certain action after
matching (atomic or composite)
• Example:
• alert tcp $HOME_NET any -> $EXTERNAL_NET any
(content:"uk.youtube.com”;msg:"someone visited
YouTube";)
9. Snort: Capabilities
Four modes of operation
• Packet Sniffer mode
• Packet Logger mode
• Network Intrusion Detection Mode
• Network Intrusion Prevention
Inline (IPS) Mode
• Configure Snort to receive packets from iptables rather
than libpcap.
• Separate capability that must be explicitly installed.
• Adds 3 new rule types
• Drop – iptables drops packet and snort logs
• Reject – iptables rejects packet and snort logs
• Sdrop – iptables will drop packet. No logging.
10. Why Snort?
Open Source
Low cost hardware implementation
Ready to use Linux distribution out there
• SmoothSec
• Security Onion
Partial DB Firewall function implementation
11. Database Firewall Functions by Snort
Policy Functions Details
Whitelist
Access Control
IP address, DB user, schedule (time)
IP address group, DB user group
Security policy group
Authority Control
Control by objects (Table, View)
SQL operation (DML,DDL ,DCL)
SQL sentence
Profile
Automatic security policy by self learning SQL query
Positive security based automatic Authority policy by Authority
Profile
Control SQL sentence form by Form Profile
Backlist
Pattern Rule Block/detect the user defined query pattern
Column Rule Block/detect the specific column of object
Audit
Archive &
Analysis
Logging all the SQL query.
Analyzing audit log & security log
Management
Central management for a several
Analyzing the database traffic & network traffic
Monitoring system usage
14. SmoothSec
Lightweight and fully-ready IDS/IPS Linux
distribution
Based on Debian 7 (wheezy)
Available for 32 and 64 bit architecture.
Includes the latest version of Snorby, Snort,
Suricata, PulledPork and Pigsty.
Easy setup process allows to deploy a
complete IDS/IPS System within minutes
Last Update: 2014-01-28, required new Linux
kernel for new hardware (in this case LAN
cards)
16. Scenario: Read only for Developers
Cause: Developers knows database privilege
usernames and passwords on legacy systems
Environment: UAT
Settings: Blacklist DDL, DCL and all DML
except“SELECT”
17. Explanation
DML: Data Manipulation Language
• SELECT, INSERT, UPDATE, DELETE, MERGE,
UPSERT, CALL, LOCK
DDL: Data Definition Language
• CREATE, ALTER, DROP, TRANCATE,
COMMENT, RENAME
DCL: Data Control Language
• GRANT, REVOKE
18. Example Ruleset: Block DDL
######### Block Create Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Table"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i";
sid:2015052205)
######### Block Create Database #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Database"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i";
sid:2015052206)
######### Block Alter Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
ALTER"; flow: to_server, established; content:"ALTER|20|";
nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
19. Example Ruleset: Block DCL
######### Block Grant #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Grant"; flow: to_server, established; content:"GRANT|20|";
nocase; pcre:"/GRANT.+ON/i"; sid:2015052211)
######### Block Revoke #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Revoke"; flow: to_server, established; content:"REVOKE|20|";
nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
20. Example Ruleset: Block DML
######### Block Insert Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: INSERT"; flow: to_server, established;
content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i";
sid:2015052201)
######### Block Update Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: UPDATE"; flow: to_server, established;
content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i";
sid:2015052202)
######### Block Delete Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: DELETE"; flow: to_server, established;
content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i";
sid:2015052203)
21. Example Ruleset: Block Privilege Users
######### Block Privilege Users #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege
user"; content:"USER=SYS"; nocase; sid:20150520)
22. Example Ruleset: Block Specific Software
########### Disallow Toad.exe #########
reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow
Toad.exe"; flow:to_server,established; content:"Toad.exe";
nocase; sid:2015062901)
23. Concerns: Unicode
UTF-8: No problem
UTF-16: ANSI pattern unable to match.
######### Block Create Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Table"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i";
sid:2015052205)
######### Block Create Table, UTF-16, Little Endian ########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
UTF-16LE: Create"; flow:to_server,established;
content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase;
sid:2015052705)
24. Other Concerns
No return result on IPS drop, causes
disconnection on some software
Dual-Port Ethernet adapter with bypass
function may be required (with expensive cost)
Implement ruleset rotation to cover scheduling
feature.