Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Database Firewall with Snort

2,605 views

Published on

Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.

In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.

Published in: Technology

Database Firewall with Snort

  1. 1. Database Firewall with Snort Narudom Roongsiriwong
  2. 2. WhoAmI Lazy Blogger • Japan, Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
  3. 3. Agenda What Are Database Firewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
  4. 4. Web/Web Services Custom Applications Business Applications How Databases Accessed? Direct Access via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
  5. 5. What are Database Firewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
  6. 6. Database Firewall Functions Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  7. 7. Are there Open Source DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
  8. 8. What is Snort? Open source, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)‫‏‬
  9. 9. Snort: Capabilities Four modes of operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
  10. 10. Why Snort? Open Source Low cost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
  11. 11. Database Firewall Functions by Snort Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  12. 12. Management Add-On for Snort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
  13. 13. Implementation eth0 Fixed IP for Management No IP, from User PCs eth1 No IP, to Database Servers eth2
  14. 14. SmoothSec Lightweight and fully-ready IDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
  15. 15. SmoothSec: Installation
  16. 16. Scenario: Read only for Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except‫“‏‬SELECT”
  17. 17. Explanation DML: Data Manipulation Language • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
  18. 18. Example Ruleset: Block DDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
  19. 19. Example Ruleset: Block DCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
  20. 20. Example Ruleset: Block DML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
  21. 21. Example Ruleset: Block Privilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
  22. 22. Example Ruleset: Block Specific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
  23. 23. Concerns: Unicode UTF-8: No problem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
  24. 24. Other Concerns No return result on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
  25. 25. Special Thanks Amornsak Ruangtang IT Security, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA

×