Narudom Roongsiriwong, CISSP, profile picture
Uploaded byNarudom Roongsiriwong, CISSP
PDF, PPTX4,033 views

Database Firewall with Snort

The document discusses database firewalls, specifically focusing on snort as an open-source solution for protecting databases from specific attacks. It outlines the functionality of database firewalls, including access control, auditing, and performance monitoring, while also detailing the capabilities and configurations of snort. Additionally, it provides examples of rulesets to block unauthorized SQL commands and addresses concerns regarding implementation and compatibility.

Technology
In this document
Powered by AI

Presentation by Narudom Roongsiriwong begins. Discusses the agenda covering Database Firewalls and Snort implementation.

Describes how databases are accessed through various protocols: direct access, business apps, web applications, and application interfaces.

Defines database firewalls as application level firewalls that protect databases from attacks, outlining functions like access control and auditing.

Introduces GreenSQL as an open-source solution for MySQL that allows rapid deployment and is user-friendly.

Defines Snort as an open-source IDS/IPS software with abilities for network detection and prevention with low implementation costs.

Details Snort's capabilities in firewall functions and the management add-ons like PulledPork and Snorby for analytics.

Describes the setup for Snort in a network environment, with a focus on the SmoothSec platform for easy IDS/IPS deployment.

Explains a specific security scenario for developers with rules blocking DDL, DCL, and DML statements to prevent unauthorized access.

Provides examples for blocking DDL, DML, and privilege user actions in Snort, showcasing how to configure rules for database security.Addresses concerns such as Unicode issues and connection drops due to IPS drops, suggesting hardware adaptations and rule management.

Special thanks to contributors including Amornsak Ruangtang from Kiatnakin Bank PLC.

Embed presentation

Download as PDF, PPTX
Database Firewall with Snort Narudom Roongsiriwong
WhoAmI Lazy Blogger • Japan, Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
Agenda What Are Database Firewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
Web/Web Services Custom Applications Business Applications How Databases Accessed? Direct Access via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
What are Database Firewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
Database Firewall Functions Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
Are there Open Source DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
What is Snort? Open source, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)‫‏‬
Snort: Capabilities Four modes of operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
Why Snort? Open Source Low cost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
Database Firewall Functions by Snort Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
Management Add-On for Snort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
Implementation eth0 Fixed IP for Management No IP, from User PCs eth1 No IP, to Database Servers eth2
SmoothSec Lightweight and fully-ready IDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
SmoothSec: Installation
Scenario: Read only for Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except‫“‏‬SELECT”
Explanation DML: Data Manipulation Language • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
Example Ruleset: Block DDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
Example Ruleset: Block DCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
Example Ruleset: Block DML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
Example Ruleset: Block Privilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
Example Ruleset: Block Specific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
Concerns: Unicode UTF-8: No problem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
Other Concerns No return result on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
Special Thanks Amornsak Ruangtang IT Security, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA
Database Firewall with Snort

More Related Content

PDF
The linux networking architecture
byhugo lu
 
PPT
Intrusion Detection System using Snort
bywebhostingguy
 
PPTX
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
PPTX
[234] toast cloud open stack sdn 전략-박성우
byNAVER D2
 
PDF
LISA2019 Linux Systems Performance
byBrendan Gregg
 
PDF
Using eBPF for High-Performance Networking in Cilium
byScyllaDB
 
PPTX
Understanding DPDK
byDenys Haryachyy
 
PPTX
Understanding NMAP
byPhannarith Ou, G-CISO
 
The linux networking architecture
byhugo lu
 
Intrusion Detection System using Snort
bywebhostingguy
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
byPeter Hlavaty
 
[234] toast cloud open stack sdn 전략-박성우
byNAVER D2
 
LISA2019 Linux Systems Performance
byBrendan Gregg
 
Using eBPF for High-Performance Networking in Cilium
byScyllaDB
 
Understanding DPDK
byDenys Haryachyy
 
Understanding NMAP
byPhannarith Ou, G-CISO
 

What's hot

PDF
Cilium - Network security for microservices
byThomas Graf
 
PPTX
Best practices and lessons learnt from Running Apache NiFi at Renault
byDataWorks Summit
 
PDF
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
PPTX
Linux Network Stack
byAdrien Mahieux
 
PDF
OpenStack networking (Neutron)
byCREATE-NET
 
PDF
OpenStack Architecture
byMirantis
 
PPTX
Understanding kube proxy in ipvs mode
byVictor Morales
 
PDF
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
PDF
Linux Networking Explained
byThomas Graf
 
PPTX
OpenStack Quantum Intro (OS Meetup 3-26-12)
byDan Wendlandt
 
PDF
Linux Linux Traffic Control
bySUSE Labs Taipei
 
PDF
RARP, BOOTP, DHCP and PXE Protocols
byPeter R. Egli
 
PDF
Linux OS presentation
bySahilGothoskar
 
PPT
The constrained application protocol (CoAP)
byHamdamboy (함담보이)
 
PPTX
Container orchestration overview
byWyn B. Van Devanter
 
PPTX
What is Network Address Translation (NAT)
byAmit Kumar , Jaipur Engineers
 
PPTX
Terraform
byPathum Fernando ☁
 
PDF
Kubernetes
byerialc_w
 
PPTX
NMAP - The Network Scanner
byn|u - The Open Security Community
 
Cilium - Network security for microservices
byThomas Graf
 
Best practices and lessons learnt from Running Apache NiFi at Renault
byDataWorks Summit
 
Linux Performance Analysis: New Tools and Old Secrets
byBrendan Gregg
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
Linux Network Stack
byAdrien Mahieux
 
OpenStack networking (Neutron)
byCREATE-NET
 
OpenStack Architecture
byMirantis
 
Understanding kube proxy in ipvs mode
byVictor Morales
 
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
Linux Networking Explained
byThomas Graf
 
OpenStack Quantum Intro (OS Meetup 3-26-12)
byDan Wendlandt
 
Linux Linux Traffic Control
bySUSE Labs Taipei
 
RARP, BOOTP, DHCP and PXE Protocols
byPeter R. Egli
 
Linux OS presentation
bySahilGothoskar
 
The constrained application protocol (CoAP)
byHamdamboy (함담보이)
 
Container orchestration overview
byWyn B. Van Devanter
 
What is Network Address Translation (NAT)
byAmit Kumar , Jaipur Engineers
 
Terraform
byPathum Fernando ☁
 
Kubernetes
byerialc_w
 
NMAP - The Network Scanner
byn|u - The Open Security Community
 

Viewers also liked

PPTX
Intrusion Detection System(IDS)
byshraddha_b
 
PPTX
Intrusion Prevention System
byVishwanath Badiger
 
PPTX
Wireshark
bySourav Roy
 
PPTX
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
PPT
Wireshark Basics
byYoram Orzach
 
ODP
Snort
byMichael Boman
 
PPT
Network Intrusion Detection System Using Snort
byDisha Bedi
 
PPTX
Key management and distribution
byRiya Choudhary
 
PPTX
Intrusion detection
byUmesh Dhital
 
DOCX
Intrusion Detection System
byDevil's Cafe
 
PPTX
Intrusion detection system
byAparna Bhadran
 
PPTX
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
PPTX
Key management
byBrandon Byungyong Jo
 
PPTX
Snort ppt
byaAlcantar93
 
PPTX
Futurex Secure Key Injection Solution
byGreg Stone
 
PPTX
Computer and Network Security
byprimeteacher32
 
PPTX
Hcl
byRiya Choudhary
 
PPT
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
PDF
Essential Guide to Protect Your Data [Key Management Techniques]
bySISA Information Security Pvt.Ltd
 
PPTX
Improving intrusion detection system by honeypot
bymmubashirkhan
 
Intrusion Detection System(IDS)
byshraddha_b
 
Intrusion Prevention System
byVishwanath Badiger
 
Wireshark
bySourav Roy
 
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
Wireshark Basics
byYoram Orzach
 
Snort
byMichael Boman
 
Network Intrusion Detection System Using Snort
byDisha Bedi
 
Key management and distribution
byRiya Choudhary
 
Intrusion detection
byUmesh Dhital
 
Intrusion Detection System
byDevil's Cafe
 
Intrusion detection system
byAparna Bhadran
 
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
Key management
byBrandon Byungyong Jo
 
Snort ppt
byaAlcantar93
 
Futurex Secure Key Injection Solution
byGreg Stone
 
Computer and Network Security
byprimeteacher32
 
Hcl
byRiya Choudhary
 
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
Essential Guide to Protect Your Data [Key Management Techniques]
bySISA Information Security Pvt.Ltd
 
Improving intrusion detection system by honeypot
bymmubashirkhan
 

Similar to Database Firewall with Snort

PPT
Snort
byStickman Hai
 
PPTX
All About Snort
by28pranjal
 
PPT
snort.ppt
bySenthil Vit
 
PDF
Presentation database security audit vault & database firewall
byxKinAnx
 
PPT
Snort
byRahul Jain
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
PDF
AV/DF Advanced Security Option
byDLT Solutions
 
PPTX
Snort
bynazzf
 
PPT
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
PPT
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
PPT
SQL Server Security - Attack
bywebhostingguy
 
PPTX
NSM_Protecting your network in real time
bysamsanjai82
 
PPTX
IDS_WK_Arsalan.pptx
byaskaripayalo
 
PPT
Aci dp
byZchabar Jhie
 
PDF
Report on SNORT Intrusion Detection System.pdf
byb2zvmjrgk7
 
PPTX
Snort- Presentation.pptx
bySathishKumar960827
 
PDF
Pertemuan 9 intrusion detection system
bynewbie2019
 
PDF
1.SNORT.pdf
byAgusNursidik
 
PPTX
Varhol oracle database_firewall_oct2011
byPeter Varhol
 
PDF
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
Snort
byStickman Hai
 
All About Snort
by28pranjal
 
snort.ppt
bySenthil Vit
 
Presentation database security audit vault & database firewall
byxKinAnx
 
Snort
byRahul Jain
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
AV/DF Advanced Security Option
byDLT Solutions
 
Snort
bynazzf
 
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
SQL Server Security - Attack
bywebhostingguy
 
NSM_Protecting your network in real time
bysamsanjai82
 
IDS_WK_Arsalan.pptx
byaskaripayalo
 
Aci dp
byZchabar Jhie
 
Report on SNORT Intrusion Detection System.pdf
byb2zvmjrgk7
 
Snort- Presentation.pptx
bySathishKumar960827
 
Pertemuan 9 intrusion detection system
bynewbie2019
 
1.SNORT.pdf
byAgusNursidik
 
Varhol oracle database_firewall_oct2011
byPeter Varhol
 
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 

More from Narudom Roongsiriwong, CISSP

PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PDF
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
PDF
Embedded System Security: Learning from Banking and Payment Industry
byNarudom Roongsiriwong, CISSP
 
PDF
Blockchain and Cryptocurrency for Dummies
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Software Design for Data Privacy
byNarudom Roongsiriwong, CISSP
 
PDF
Application Security Verification Standard Project
byNarudom Roongsiriwong, CISSP
 
PDF
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
PDF
Biometric Authentication.pdf
byNarudom Roongsiriwong, CISSP
 
PDF
Security Shift Leftmost - Secure Architecture.pdf
byNarudom Roongsiriwong, CISSP
 
PPTX
National Digital ID Platform Technical Forum
byNarudom Roongsiriwong, CISSP
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PDF
Securing the Internet from Cyber Criminals
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
PDF
How Good Security Architecture Saves Corporate Workers from COVID-19
byNarudom Roongsiriwong, CISSP
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
Embedded System Security: Learning from Banking and Payment Industry
byNarudom Roongsiriwong, CISSP
 
Blockchain and Cryptocurrency for Dummies
byNarudom Roongsiriwong, CISSP
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
byNarudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
byNarudom Roongsiriwong, CISSP
 
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
Biometric Authentication.pdf
byNarudom Roongsiriwong, CISSP
 
Security Shift Leftmost - Secure Architecture.pdf
byNarudom Roongsiriwong, CISSP
 
National Digital ID Platform Technical Forum
byNarudom Roongsiriwong, CISSP
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
byNarudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
How Good Security Architecture Saves Corporate Workers from COVID-19
byNarudom Roongsiriwong, CISSP
 

Recently uploaded

PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
December Patch Tuesday
byIvanti
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 

Database Firewall with Snort

  • 1.
    Database Firewall withSnort Narudom Roongsiriwong
  • 2.
    WhoAmI Lazy Blogger • Japan,Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
  • 3.
    Agenda What Are DatabaseFirewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
  • 4.
    Web/Web Services Custom Applications Business Applications How Databases Accessed? DirectAccess via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
  • 5.
    What are DatabaseFirewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
  • 6.
    Database Firewall Functions PolicyFunctions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  • 7.
    Are there OpenSource DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
  • 8.
    What is Snort? Opensource, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)‫‏‬
  • 9.
    Snort: Capabilities Four modesof operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
  • 10.
    Why Snort? Open Source Lowcost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
  • 11.
    Database Firewall Functionsby Snort Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  • 12.
    Management Add-On forSnort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
  • 13.
    Implementation eth0 Fixed IP forManagement No IP, from User PCs eth1 No IP, to Database Servers eth2
  • 14.
    SmoothSec Lightweight and fully-readyIDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
  • 15.
  • 16.
    Scenario: Read onlyfor Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except‫“‏‬SELECT”
  • 17.
    Explanation DML: Data ManipulationLanguage • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
  • 18.
    Example Ruleset: BlockDDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
  • 19.
    Example Ruleset: BlockDCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
  • 20.
    Example Ruleset: BlockDML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
  • 21.
    Example Ruleset: BlockPrivilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
  • 22.
    Example Ruleset: BlockSpecific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
  • 23.
    Concerns: Unicode UTF-8: Noproblem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
  • 24.
    Other Concerns No returnresult on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
  • 25.
    Special Thanks Amornsak Ruangtang ITSecurity, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA