2. CONTENT
Introduction to Security of Database
Architecture of the Security System
Attack Protection
Construction of Secure Rule Library
SQL Filtering
Workflow of SQL Filtration
Conclusion
3. INTRODUCTION
More and more applications based on Databases appeared.
SQL attacks draws the attention to the security of database
on the internet.
Many security schemes are proposed before like SQL injection
attack detection system, security proxy in front of the web
server etc.
But these only provide the one aspect of protection.
Proposal of deploying the security between Web Server and
Database Server.
4. ARCHITECTURE
There are six main modules:
Authentication
Transparent Proxy
Attack Protection
Connection Monitoring
Service Configuration
Audit
6. Authentication: The authentication module inspects the
authority of users who access database.
Transparent Proxy: It uses port mapping technology to work.
Attack Protection: It detects and prevents various types of
attacks in real-time.
Connection Monitoring: It monitors all connections to the
database and the flow of information of each connection in
real-time.
Audit: It provides audit function which includes mandatory
audit and common audit.
Service Configuration: It provides service configuration
management.
7. ATTACK PROTECTION
Attack protection module adopts network and database
protocol analysis to analyse received packets and uses pattern
matching algorithm to determine legality of SQL statements.
Database
protocol
analytic
8. Construction of Secure Rules
Library
Secure rules library is an attack characteristics library of the
module and very important. It has many rules and each rule is
an attack characteristic. System identifies attacks according to
the rules library. Each rule is divided into two parts: the rule
head and the rule option. The format of rule head is shown
below:
9. SQL Filtering
SQL filtering is one of core functions of system.
It compares SQL access of applications with predefined rules
of access, analyses SQL statements, matches with the
characteristics of intrusion, and takes warning or record.
According to each type of intrusion, system refines its
characteristic value and writes an inspection rule to form a
rule bank.
Receiving the SQL statement, SQL filtering module converts it
into data and its format can be identified, checks the
legitimacy of TCP and IP header, uses pattern-matching
algorithm to detect and analyse the data.
11. CONCLUSION
To enhance security of database applications a transparent
database security gateway between web server and database
server is introduced.
12. References
• Deng Liwu, Xu Ruzhi, Jiang Lizheng, Lv Guangjuan, "A
Database Protection System Aiming at SQL Attack," Proc.
IEEE Conf. Information Assurance and Security(IAS 2009),
IEEE Press, Aug. 2009, pp. 655-657, doilO.lI09IIAS.2009.322.
• E. Bertino and R. Sandhu, "Database security-concepts,
approaches, and challenges,“ IEEE Trans. Dependable and
Secure Computing(TDSC 2005), vol.2, Jan.-Mar. 2005, pp.
2-19, doi:I0.11 09/TDSC2005.9.
IP address, user name, database name, schema name, tables, views are combined as an authorization object. Some "IP + User" objects are authorized to access the database fully.
Shields IP address and port of real database server.
When the user's operations have attack codes, system can identify them in real time and automatically cut off the connection to prevent successful attack.
alarms if exceeded authority accesses or attacks and keeps logs.
Mandatory audit records important events, such as database connections, unauthorized access, IP addresses of exceeded authority access, attacks.
Common audit includes the audit of all SQL statements
Data packet capture module monitors network and captures packets, then send them to network protocol analysis module. Network protocol analysis module extracts and regroups the data from these packets according to TCP / IP protocol. Data are sent to database protocol analysis module. Database protocol analysis module extracts SQL statements and sends them to SQL filtering module. SQL filtering module adopts matching algorithm to compare them with rules in rules library to determine whether there has an intrusion. Response module takes measures to identified intrusion. This system's response is to cut off the intruder's TCP connection. But in most commercial implementations, they combine intrusion detection system with routers or firewalls to implement response.
Action section shows that if the rule and SQL packet are compared to meet the condition, what type of action will be taken. Generally, Action is to generate alerts, record logs, cut off the TCP connection or send requests to other rules. Protocol section shows the protocol used by SQL packet.
The system only supports TCP protocol. Address section specifies the addresses of source or destination. Address can be a host, a number of host addresses or network addresses. There are two address sections in the rule, and which is source and the other is destination depend on the direction section. Port section specifies the source or destination port of packet. Direction section uses "->"or "<-" to specify which side is source address or port and which is destination.
The gateway has been deployed in electrical secondary system. The loss of speed of accessing database is less than 10%, which complies with
system requirement.