Database Firewall with Snort
•
8 likes•3,888 views
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers. In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Database Firewall with Snort
Similar to Database Firewall with Snort (20)
More from Narudom Roongsiriwong, CISSP
More from Narudom Roongsiriwong, CISSP (20)
Recently uploaded
Recently uploaded (20)
Database Firewall with Snort
- 1. Database Firewall with Snort Narudom Roongsiriwong
- 2. WhoAmI Lazy Blogger • Japan, Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
- 3. Agenda What Are Database Firewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
- 4. Web/Web Services Custom Applications Business Applications How Databases Accessed? Direct Access via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
- 5. What are Database Firewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
- 6. Database Firewall Functions Policy Functions Details Whitelist Access Control IP address, DB user, schedule (time) IP address group, DB user group Security policy group Authority Control Control by objects (Table, View) SQL operation (DML,DDL ,DCL) SQL sentence Profile Automatic security policy by self learning SQL query Positive security based automatic Authority policy by Authority Profile Control SQL sentence form by Form Profile Backlist Pattern Rule Block/detect the user defined query pattern Column Rule Block/detect the specific column of object Audit Archive & Analysis Logging all the SQL query. Analyzing audit log & security log Management Central management for a several Analyzing the database traffic & network traffic Monitoring system usage
- 7. Are there Open Source DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
- 8. What is Snort? Open source, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)
- 9. Snort: Capabilities Four modes of operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
- 10. Why Snort? Open Source Low cost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
- 11. Database Firewall Functions by Snort Policy Functions Details Whitelist Access Control IP address, DB user, schedule (time) IP address group, DB user group Security policy group Authority Control Control by objects (Table, View) SQL operation (DML,DDL ,DCL) SQL sentence Profile Automatic security policy by self learning SQL query Positive security based automatic Authority policy by Authority Profile Control SQL sentence form by Form Profile Backlist Pattern Rule Block/detect the user defined query pattern Column Rule Block/detect the specific column of object Audit Archive & Analysis Logging all the SQL query. Analyzing audit log & security log Management Central management for a several Analyzing the database traffic & network traffic Monitoring system usage
- 12. Management Add-On for Snort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
- 13. Implementation eth0 Fixed IP for Management No IP, from User PCs eth1 No IP, to Database Servers eth2
- 14. SmoothSec Lightweight and fully-ready IDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
- 16. Scenario: Read only for Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except“SELECT”
- 17. Explanation DML: Data Manipulation Language • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
- 18. Example Ruleset: Block DDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
- 19. Example Ruleset: Block DCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
- 20. Example Ruleset: Block DML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
- 21. Example Ruleset: Block Privilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
- 22. Example Ruleset: Block Specific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
- 23. Concerns: Unicode UTF-8: No problem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
- 24. Other Concerns No return result on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
- 25. Special Thanks Amornsak Ruangtang IT Security, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA