Narudom Roongsiriwong, CISSP, profile picture
Uploaded byNarudom Roongsiriwong, CISSP
PDF, PPTX4,036 views

Database Firewall with Snort

The document discusses database firewalls, specifically focusing on snort as an open-source solution for protecting databases from specific attacks. It outlines the functionality of database firewalls, including access control, auditing, and performance monitoring, while also detailing the capabilities and configurations of snort. Additionally, it provides examples of rulesets to block unauthorized SQL commands and addresses concerns regarding implementation and compatibility.

Embed presentation

Download as PDF, PPTX
Database Firewall with Snort Narudom Roongsiriwong
WhoAmI Lazy Blogger • Japan, Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
Agenda What Are Database Firewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
Web/Web Services Custom Applications Business Applications How Databases Accessed? Direct Access via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
What are Database Firewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
Database Firewall Functions Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
Are there Open Source DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
What is Snort? Open source, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)‫‏‬
Snort: Capabilities Four modes of operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
Why Snort? Open Source Low cost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
Database Firewall Functions by Snort Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
Management Add-On for Snort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
Implementation eth0 Fixed IP for Management No IP, from User PCs eth1 No IP, to Database Servers eth2
SmoothSec Lightweight and fully-ready IDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
SmoothSec: Installation
Scenario: Read only for Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except‫“‏‬SELECT”
Explanation DML: Data Manipulation Language • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
Example Ruleset: Block DDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
Example Ruleset: Block DCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
Example Ruleset: Block DML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
Example Ruleset: Block Privilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
Example Ruleset: Block Specific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
Concerns: Unicode UTF-8: No problem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
Other Concerns No return result on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
Special Thanks Amornsak Ruangtang IT Security, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA
Database Firewall with Snort

More Related Content

PPTX
Security Onion
byjohndegruyter
 
PPTX
NMAP - The Network Scanner
byn|u - The Open Security Community
 
PPTX
Recon with Nmap
byOWASP Delhi
 
PPTX
All About Snort
by28pranjal
 
PDF
Snort IPS
bySimone Tino
 
PPTX
NMAP
byPrateekAryan1
 
PPTX
Network scanning
byMD SAQUIB KHAN
 
PDF
Hacking With Nmap - Scanning Techniques
byamiable_indian
 
Security Onion
byjohndegruyter
 
NMAP - The Network Scanner
byn|u - The Open Security Community
 
Recon with Nmap
byOWASP Delhi
 
All About Snort
by28pranjal
 
Snort IPS
bySimone Tino
 
NMAP
byPrateekAryan1
 
Network scanning
byMD SAQUIB KHAN
 
Hacking With Nmap - Scanning Techniques
byamiable_indian
 

What's hot

PDF
Network Mapper (NMAP)
byKHNOG
 
PPTX
Injection sql
byBillel Bentami
 
PPTX
Understanding NMAP
byPhannarith Ou, G-CISO
 
PPTX
NMap
byPritesh Raka
 
PDF
CentOS Linux Server Hardening
byMyOwn Telco
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
PPTX
Nmap basics
byn|u - The Open Security Community
 
PDF
Aws Network Introduction
byRafael Salerno de Oliveira
 
PDF
Nmap basics
byitmind4u
 
PDF
Nmap tutorial
byVarun Kakumani
 
PPTX
Linux Kernel Tour
bysamrat das
 
PPTX
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PDF
Nmap Basics
byamiable_indian
 
PPTX
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
PPT
Linux Booting Process
byRishabh5121993
 
PPT
Introduction to redis
byTanu Siwag
 
ODP
Sockets and Socket-Buffer
bySourav Punoriyar
 
PPT
RAID and LVM
byMohitgupta8560
 
PDF
App armor structure
byLongbeo Longnhat
 
Network Mapper (NMAP)
byKHNOG
 
Injection sql
byBillel Bentami
 
Understanding NMAP
byPhannarith Ou, G-CISO
 
NMap
byPritesh Raka
 
CentOS Linux Server Hardening
byMyOwn Telco
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
Nmap basics
byn|u - The Open Security Community
 
Aws Network Introduction
byRafael Salerno de Oliveira
 
Nmap basics
byitmind4u
 
Nmap tutorial
byVarun Kakumani
 
Linux Kernel Tour
bysamrat das
 
The Basic Introduction of Open vSwitch
byTe-Yen Liu
 
Attacker's Perspective of Active Directory
bySunny Neo
 
Nmap Basics
byamiable_indian
 
Best Practices for Configuring Your OSSIM Installation
byAlienVault
 
Linux Booting Process
byRishabh5121993
 
Introduction to redis
byTanu Siwag
 
Sockets and Socket-Buffer
bySourav Punoriyar
 
RAID and LVM
byMohitgupta8560
 
App armor structure
byLongbeo Longnhat
 

Viewers also liked

PPT
Wireshark Basics
byYoram Orzach
 
PPTX
Improving intrusion detection system by honeypot
bymmubashirkhan
 
PPTX
Snort ppt
byaAlcantar93
 
PPTX
Intrusion Prevention System
byVishwanath Badiger
 
PPTX
Computer and Network Security
byprimeteacher32
 
ODP
Snort
byMichael Boman
 
PPTX
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
PPTX
Key management
byBrandon Byungyong Jo
 
PPTX
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
PPTX
Key management and distribution
byRiya Choudhary
 
PPTX
Hcl
byRiya Choudhary
 
PPT
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
PDF
Essential Guide to Protect Your Data [Key Management Techniques]
bySISA Information Security Pvt.Ltd
 
DOCX
Intrusion Detection System
byDevil's Cafe
 
PPTX
Futurex Secure Key Injection Solution
byGreg Stone
 
PPTX
Wireshark
bySourav Roy
 
PPT
Network Intrusion Detection System Using Snort
byDisha Bedi
 
PPTX
Intrusion detection system
byAparna Bhadran
 
PPTX
Intrusion detection
byUmesh Dhital
 
PPTX
Intrusion Detection System(IDS)
byshraddha_b
 
Wireshark Basics
byYoram Orzach
 
Improving intrusion detection system by honeypot
bymmubashirkhan
 
Snort ppt
byaAlcantar93
 
Intrusion Prevention System
byVishwanath Badiger
 
Computer and Network Security
byprimeteacher32
 
Snort
byMichael Boman
 
Industrial Training - Network Intrusion Detection System Using Snort
byDisha Bedi
 
Key management
byBrandon Byungyong Jo
 
Snort IDS/IPS Basics
byMahendra Pratap Singh
 
Key management and distribution
byRiya Choudhary
 
Hcl
byRiya Choudhary
 
Anton Chuvakin on Honeypots
byAnton Chuvakin
 
Essential Guide to Protect Your Data [Key Management Techniques]
bySISA Information Security Pvt.Ltd
 
Intrusion Detection System
byDevil's Cafe
 
Futurex Secure Key Injection Solution
byGreg Stone
 
Wireshark
bySourav Roy
 
Network Intrusion Detection System Using Snort
byDisha Bedi
 
Intrusion detection system
byAparna Bhadran
 
Intrusion detection
byUmesh Dhital
 
Intrusion Detection System(IDS)
byshraddha_b
 

Similar to Database Firewall with Snort

PPT
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
PPT
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
PDF
Presentation database security audit vault & database firewall
byxKinAnx
 
PPT
snort.ppt
bySenthil Vit
 
PPTX
Snort
bynazzf
 
PPTX
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
PPT
Snort
byStickman Hai
 
PDF
Report on SNORT Intrusion Detection System.pdf
byb2zvmjrgk7
 
PPT
Snort
byRahul Jain
 
PPT
Aci dp
byZchabar Jhie
 
PDF
AV/DF Advanced Security Option
byDLT Solutions
 
PPTX
Varhol oracle database_firewall_oct2011
byPeter Varhol
 
PDF
Pertemuan 9 intrusion detection system
bynewbie2019
 
PPTX
IDS_WK_Arsalan.pptx
byaskaripayalo
 
PPTX
NSM_Protecting your network in real time
bysamsanjai82
 
PPTX
Snort- Presentation.pptx
bySathishKumar960827
 
PDF
1.SNORT.pdf
byAgusNursidik
 
PPT
SQL Server Security - Attack
bywebhostingguy
 
PDF
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
PDF
IDS & Passive Network Defense
bySalvatore Lentini
 
snorteeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee.ppt
byabanehkahalif123
 
pokeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeee
bytindepzai91
 
Presentation database security audit vault & database firewall
byxKinAnx
 
snort.ppt
bySenthil Vit
 
Snort
bynazzf
 
Introduction to IDS & IPS - Part 1
bywhitehat 'People'
 
Snort
byStickman Hai
 
Report on SNORT Intrusion Detection System.pdf
byb2zvmjrgk7
 
Snort
byRahul Jain
 
Aci dp
byZchabar Jhie
 
AV/DF Advanced Security Option
byDLT Solutions
 
Varhol oracle database_firewall_oct2011
byPeter Varhol
 
Pertemuan 9 intrusion detection system
bynewbie2019
 
IDS_WK_Arsalan.pptx
byaskaripayalo
 
NSM_Protecting your network in real time
bysamsanjai82
 
Snort- Presentation.pptx
bySathishKumar960827
 
1.SNORT.pdf
byAgusNursidik
 
SQL Server Security - Attack
bywebhostingguy
 
An analysis of Network Intrusion Detection System using SNORT
byijsrd.com
 
IDS & Passive Network Defense
bySalvatore Lentini
 

More from Narudom Roongsiriwong, CISSP

PDF
Biometric Authentication.pdf
byNarudom Roongsiriwong, CISSP
 
PDF
Security Shift Leftmost - Secure Architecture.pdf
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
PDF
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
PDF
How Good Security Architecture Saves Corporate Workers from COVID-19
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Software Design for Data Privacy
byNarudom Roongsiriwong, CISSP
 
PDF
Blockchain and Cryptocurrency for Dummies
byNarudom Roongsiriwong, CISSP
 
PDF
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
PPTX
National Digital ID Platform Technical Forum
byNarudom Roongsiriwong, CISSP
 
PDF
IoT Security
byNarudom Roongsiriwong, CISSP
 
PDF
Embedded System Security: Learning from Banking and Payment Industry
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
PDF
Application Security Verification Standard Project
byNarudom Roongsiriwong, CISSP
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PDF
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
PDF
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
PDF
Securing the Internet from Cyber Criminals
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PDF
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
Biometric Authentication.pdf
byNarudom Roongsiriwong, CISSP
 
Security Shift Leftmost - Secure Architecture.pdf
byNarudom Roongsiriwong, CISSP
 
Secure Design: Threat Modeling
byNarudom Roongsiriwong, CISSP
 
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
How Good Security Architecture Saves Corporate Workers from COVID-19
byNarudom Roongsiriwong, CISSP
 
Secure Software Design for Data Privacy
byNarudom Roongsiriwong, CISSP
 
Blockchain and Cryptocurrency for Dummies
byNarudom Roongsiriwong, CISSP
 
DevSecOps 101
byNarudom Roongsiriwong, CISSP
 
National Digital ID Platform Technical Forum
byNarudom Roongsiriwong, CISSP
 
IoT Security
byNarudom Roongsiriwong, CISSP
 
Embedded System Security: Learning from Banking and Payment Industry
byNarudom Roongsiriwong, CISSP
 
Secure Your Encryption with HSM
byNarudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
byNarudom Roongsiriwong, CISSP
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
byNarudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
byNarudom Roongsiriwong, CISSP
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
byNarudom Roongsiriwong, CISSP
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 

Recently uploaded

PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
PDF
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
Bettersize | BeSEC Series Product Brochure
byBettersize Instruments
 
Pneumatic Pressure Pump PPP01 for Calibration & Testing
bySERRAX TECHNOLOGIES LLP
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
2026_01_28 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
January 2026 OpenMetadata Community Spotlight - OpenMetadata @ Wix.pdf
byOpenMetadata
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
Real-Time AI Masterclass: Vector Search at Scale
byScyllaDB
 

Database Firewall with Snort

  • 1.
    Database Firewall withSnort Narudom Roongsiriwong
  • 2.
    WhoAmI Lazy Blogger • Japan,Security, FOSS, Politics, Christian • http://narudomr.blogspot.com Food Lover • Steak, Yakiniku, BBQ • Sushi (especially Otoro) • All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean) Head of IT Security, Kiatnakin Bank PLC (KKP)
  • 3.
    Agenda What Are DatabaseFirewalls? Are there Open Source DB Firewalls? What & Why Snort? Implementation Concerns Q&A
  • 4.
    Web/Web Services Custom Applications Business Applications How Databases Accessed? DirectAccess via Database Protocols • DBAs via query tools • Fat client applications Three-tier applications • Internal users via Business applications Web applications • Internal & External users via browser interfaces Application Interfaces • Applications via Web Services Interfaces Browser Browser DBA SQL Data Thin Client 3 Tier App Thick Client 2 Tier App Thin Client 3 Tier App Application Interface
  • 5.
    What are DatabaseFirewalls? Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. Deployed either in-line with the database server (OR) near the network gateway
  • 6.
    Database Firewall Functions PolicyFunctions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  • 7.
    Are there OpenSource DB Firewalls? GreenSQL • Cross Platform • Rapid Deployment • Well established • Web application independent • The only free security solution for MySQL • User Friendly WEB GUI/Management tool
  • 8.
    What is Snort? Opensource, freely available software except for rules Support Windows, Linux and Solaris Sensors/actuators in a network Signature based IDS/IPS Rules defined to take certain action after matching (atomic or composite) • Example: • alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)‫‏‬
  • 9.
    Snort: Capabilities Four modesof operation • Packet Sniffer mode • Packet Logger mode • Network Intrusion Detection Mode • Network Intrusion Prevention Inline (IPS) Mode • Configure Snort to receive packets from iptables rather than libpcap. • Separate capability that must be explicitly installed. • Adds 3 new rule types • Drop – iptables drops packet and snort logs • Reject – iptables rejects packet and snort logs • Sdrop – iptables will drop packet. No logging.
  • 10.
    Why Snort? Open Source Lowcost hardware implementation Ready to use Linux distribution out there • SmoothSec • Security Onion Partial DB Firewall function implementation
  • 11.
    Database Firewall Functionsby Snort Policy Functions Details Whitelist Access Control  IP address, DB user, schedule (time)  IP address group, DB user group  Security policy group Authority Control  Control by objects (Table, View)  SQL operation (DML,DDL ,DCL)  SQL sentence Profile  Automatic security policy by self learning SQL query  Positive security based automatic Authority policy by Authority Profile  Control SQL sentence form by Form Profile Backlist Pattern Rule  Block/detect the user defined query pattern Column Rule  Block/detect the specific column of object Audit Archive & Analysis  Logging all the SQL query.  Analyzing audit log & security log Management  Central management for a several  Analyzing the database traffic & network traffic  Monitoring system usage
  • 12.
    Management Add-On forSnort PulledPork: Snort Ruleset Management Squert: Analyze Alert Sguil: Network Security Monitoring Snorby: Network Security Monitoring ELSA: Enterprise Log Search and Archive
  • 13.
    Implementation eth0 Fixed IP forManagement No IP, from User PCs eth1 No IP, to Database Servers eth2
  • 14.
    SmoothSec Lightweight and fully-readyIDS/IPS Linux distribution Based on Debian 7 (wheezy) Available for 32 and 64 bit architecture. Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty. Easy setup process allows to deploy a complete IDS/IPS System within minutes Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
  • 15.
  • 16.
    Scenario: Read onlyfor Developers Cause: Developers knows database privilege usernames and passwords on legacy systems Environment: UAT Settings: Blacklist DDL, DCL and all DML except‫“‏‬SELECT”
  • 17.
    Explanation DML: Data ManipulationLanguage • SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK DDL: Data Definition Language • CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME DCL: Data Control Language • GRANT, REVOKE
  • 18.
    Example Ruleset: BlockDDL ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
  • 19.
    Example Ruleset: BlockDCL ######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
  • 20.
    Example Ruleset: BlockDML ######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
  • 21.
    Example Ruleset: BlockPrivilege Users ######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
  • 22.
    Example Ruleset: BlockSpecific Software ########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
  • 23.
    Concerns: Unicode UTF-8: Noproblem UTF-16: ANSI pattern unable to match. ######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
  • 24.
    Other Concerns No returnresult on IPS drop, causes disconnection on some software Dual-Port Ethernet adapter with bypass function may be required (with expensive cost) Implement ruleset rotation to cover scheduling feature.
  • 25.
    Special Thanks Amornsak Ruangtang ITSecurity, Kiatnakin Bank PLC. CEH, SEC+, MCITP, CCNA