Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers. In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.

1. Database Firewall with Snort
Narudom Roongsiriwong

2. WhoAmI
Lazy Blogger
• Japan, Security, FOSS, Politics, Christian
• http://narudomr.blogspot.com
Food Lover
• Steak, Yakiniku, BBQ
• Sushi (especially Otoro)
• All Kinds of Noodle (Spaghetti, Ramen, Udon,
Kanomjean)
Head of IT Security, Kiatnakin Bank PLC
(KKP)

3. Agenda
What Are Database Firewalls?
Are there Open Source DB Firewalls?
What & Why Snort?
Implementation
Concerns
Q&A

4. Web/Web
Services
Custom
Applications
Business
Applications
How Databases Accessed?
Direct Access via Database
Protocols
• DBAs via query tools
• Fat client applications
Three-tier applications
• Internal users via Business
applications
Web applications
• Internal & External users via
browser interfaces
Application Interfaces
• Applications via Web
Services Interfaces
Browser Browser
DBA
SQL
Data
Thin Client
3 Tier App
Thick Client
2 Tier App
Thin Client
3 Tier App
Application
Interface

5. What are Database Firewalls?
Application Level Firewalls that monitor
databases to identify and protect against
database specific attacks that mostly seek to
access sensitive information stored in the
databases.
Deployed either in-line with the database
server (OR) near the network gateway

6. Database Firewall Functions
Policy Functions Details
Whitelist
Access Control
 IP address, DB user, schedule (time)
 IP address group, DB user group
 Security policy group
Authority Control
 Control by objects (Table, View)
 SQL operation (DML,DDL ,DCL)
 SQL sentence
Profile
 Automatic security policy by self learning SQL query
 Positive security based automatic Authority policy by Authority
Profile
 Control SQL sentence form by Form Profile
Backlist
Pattern Rule  Block/detect the user defined query pattern
Column Rule  Block/detect the specific column of object
Audit
Archive &
Analysis
 Logging all the SQL query.
 Analyzing audit log & security log
Management
 Central management for a several
 Analyzing the database traffic & network traffic
 Monitoring system usage

7. Are there Open Source DB Firewalls?
GreenSQL
• Cross Platform
• Rapid Deployment
• Well established
• Web application independent
• The only free security solution for MySQL
• User Friendly WEB GUI/Management tool

8. What is Snort?
Open source, freely available software except
for rules
Support Windows, Linux and Solaris
Sensors/actuators in a network
Signature based IDS/IPS
Rules defined to take certain action after
matching (atomic or composite)
• Example:
• alert tcp $HOME_NET any -> $EXTERNAL_NET any
(content:"uk.youtube.com”;msg:"someone visited
YouTube";)‫‏‬

9. Snort: Capabilities
Four modes of operation
• Packet Sniffer mode
• Packet Logger mode
• Network Intrusion Detection Mode
• Network Intrusion Prevention
Inline (IPS) Mode
• Configure Snort to receive packets from iptables rather
than libpcap.
• Separate capability that must be explicitly installed.
• Adds 3 new rule types
• Drop – iptables drops packet and snort logs
• Reject – iptables rejects packet and snort logs
• Sdrop – iptables will drop packet. No logging.

10. Why Snort?
Open Source
Low cost hardware implementation
Ready to use Linux distribution out there
• SmoothSec
• Security Onion
Partial DB Firewall function implementation

11. Database Firewall Functions by Snort
Policy Functions Details
Whitelist
Access Control
 IP address, DB user, schedule (time)
 IP address group, DB user group
 Security policy group
Authority Control
 Control by objects (Table, View)
 SQL operation (DML,DDL ,DCL)
 SQL sentence
Profile
 Automatic security policy by self learning SQL query
 Positive security based automatic Authority policy by Authority
Profile
 Control SQL sentence form by Form Profile
Backlist
Pattern Rule  Block/detect the user defined query pattern
Column Rule  Block/detect the specific column of object
Audit
Archive &
Analysis
 Logging all the SQL query.
 Analyzing audit log & security log
Management
 Central management for a several
 Analyzing the database traffic & network traffic
 Monitoring system usage

12. Management Add-On for Snort
PulledPork: Snort Ruleset Management
Squert: Analyze Alert
Sguil: Network Security Monitoring
Snorby: Network Security Monitoring
ELSA: Enterprise Log Search and Archive

13. Implementation
eth0
Fixed IP for Management
No IP, from User PCs
eth1
No IP, to Database Servers
eth2

14. SmoothSec
Lightweight and fully-ready IDS/IPS Linux
distribution
Based on Debian 7 (wheezy)
Available for 32 and 64 bit architecture.
Includes the latest version of Snorby, Snort,
Suricata, PulledPork and Pigsty.
Easy setup process allows to deploy a
complete IDS/IPS System within minutes
Last Update: 2014-01-28, required new Linux
kernel for new hardware (in this case LAN
cards)

15. SmoothSec: Installation

16. Scenario: Read only for Developers
Cause: Developers knows database privilege
usernames and passwords on legacy systems
Environment: UAT
Settings: Blacklist DDL, DCL and all DML
except‫“‏‬SELECT”

17. Explanation
DML: Data Manipulation Language
• SELECT, INSERT, UPDATE, DELETE, MERGE,
UPSERT, CALL, LOCK
DDL: Data Definition Language
• CREATE, ALTER, DROP, TRANCATE,
COMMENT, RENAME
DCL: Data Control Language
• GRANT, REVOKE

18. Example Ruleset: Block DDL
######### Block Create Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Table"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i";
sid:2015052205)
######### Block Create Database #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Database"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i";
sid:2015052206)
######### Block Alter Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
ALTER"; flow: to_server, established; content:"ALTER|20|";
nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)

19. Example Ruleset: Block DCL
######### Block Grant #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Grant"; flow: to_server, established; content:"GRANT|20|";
nocase; pcre:"/GRANT.+ON/i"; sid:2015052211)
######### Block Revoke #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Revoke"; flow: to_server, established; content:"REVOKE|20|";
nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)

20. Example Ruleset: Block DML
######### Block Insert Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: INSERT"; flow: to_server, established;
content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i";
sid:2015052201)
######### Block Update Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: UPDATE"; flow: to_server, established;
content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i";
sid:2015052202)
######### Block Delete Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
Oracle: DELETE"; flow: to_server, established;
content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i";
sid:2015052203)

21. Example Ruleset: Block Privilege Users
######### Block Privilege Users #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege
user"; content:"USER=SYS"; nocase; sid:20150520)

22. Example Ruleset: Block Specific Software
########### Disallow Toad.exe #########
reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow
Toad.exe"; flow:to_server,established; content:"Toad.exe";
nocase; sid:2015062901)

23. Concerns: Unicode
UTF-8: No problem
UTF-16: ANSI pattern unable to match.
######### Block Create Table #########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command:
Create Table"; flow: to_server, established;
content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i";
sid:2015052205)
######### Block Create Table, UTF-16, Little Endian ########
drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command
UTF-16LE: Create"; flow:to_server,established;
content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase;
sid:2015052705)

24. Other Concerns
No return result on IPS drop, causes
disconnection on some software
Dual-Port Ethernet adapter with bypass
function may be required (with expensive cost)
Implement ruleset rotation to cover scheduling
feature.

25. Special Thanks
Amornsak Ruangtang
IT Security, Kiatnakin Bank PLC.
CEH, SEC+, MCITP, CCNA