SQL Injection Defense Strategies

I had the great pleasure to participate in one of the first classes on the Oracle Database Firewall.  Oracle Database Firewall is a new product that came to Oracle through their acquisition of Secerno.  Oracle Database Firewall is a high capacity and highly accurate firewall software appliance for databases.

Firewall Protection
Oracle Database Firewall's primary role is to apply a level of protection and control to databases that may not be possible with the native features of the databases being protected.  Examples of protection include the following:

• Prevent SQL Injection attacks that come through vulnerable web or application servers.  
• Enable account lockout after some number of successive failed login attempts.
• Enable role based access control.
• Discover a users entitlements.
• Protect against unauthorized use by privileged and non-privileged users both from over the network as well as locally.
• Alert on suspicious or abnormal SQL activity.

Intrusion Detection
Some customers may choose to use Oracle Database Firewall as an intrusion detection device.  In this mode of operation, Oracle Database Firewall captures and analyzes all SQL traffic to a database by obtaining a copy of the raw network data from a network spanning port (a.k.a. network tap).  In intrusion detection mode, Oracle Database Firewall detects and alerts on undesirable SQL activity.

Performance Acceleration
Another benefit of Oracle Database Firewall is that it summarizes the types of SQL operations that are applied to your databases.  From this summarization, you can identify poorly constructed SQL statements that could be optimized for much better application performance.  On the protect and defend side, you could also identify valid but inappropriate SQL load as well.  In this latter case, you could use the alert function to inform the application owner to please stop abusing the database.  Or, if necessary, you could just block those abusive queries from getting to the database all together.

SQL Injection Protection
I mentioned SQL Injection earlier but I wanted to come back to it because it is a very real and pervasive threat to every company or organization with an internal or external web site.  For the layman, SQL injection is an indirect way of saying a very poorly designed web or  desktop application.  SQL injection results from applications not sanitizing EVERY form field or input variable that is used as part of an SQL query against a database.

A common use case of SQL injection relative to web applications is the web site's login page.  When you enter your login user id and password, those two fields are used to construct an SQL statement that is submitted to a database to verify that you are a valid user.  If these fields are not properly sanitized, they can through SQL injection be used to incrementally reveal database information.  Given enough time and persistence, a diligent hacker can through vulnerable applications get just about any information out of the database that they want.  Vulnerable information could include user ids, passwords, home addresses, credit card numbers, social security numbers, account numbers, ... and the list goes on.

Oracle Database Firewall protects databases from SQL injection attacks by accurately identifying and allowing through valid SQL and rejecting (or if preferred just alerting) on the rest.

Internal Breach Protection

Notice in the previous section that I said internal web sites and applications.  One observation that I have made from working with many customers over the last 15+ years is that internal web sites aren't necessarily held to the same high standard of security as external web sites.  Consequently, internal sites can be more vulnerable to most companies than their Internet facing web sites.  Recent publications such as Verizon's 2010 Data Breach Report confirm that nearly half of data breaches still come from internal sources.  You can also see from the Softpedia SQL Injection news page that SQL injection based data breaches are not isolated to small firms.  The likes of NASA, Symantec, Intel, The Wall Street Journal, and even United States Military are among the list of impacted organizations found on Softpedia's page.

Database Security Arsenal
There is a saying that there are no silver bullets in the security business.  That simply means that there isn't a single solution that solves all security challenges.  However, Oracle Database Firewall represents an enormous leap forward in the defense of database security.  Oracle's Database Security portfolio also includes network encryption and on disk encryption (Advanced Security Option), separation of duty (Database Vault), centralized auditing (Audit Vault), Data Masking and more.


If you have applications that talk to a database over a network, consider adding Oracle Database Firewall to your defense strategy.

To click here to learn more about Oracle Database Firewall or here to learn more about the entire Oracle Database Security portfolio.

Have a great day!

Brad

If this information has helped you, please consider helping me through investing in your health and in the health of those you love through purchasing Mannatech wellness products. Ambrotose is the key ingredient of all Mannatech Wellness products.  Place your order at my Mannatech Web Store today.

PS: As a disclaimer, I am an employee of Oracle. However, I would have written this blog post even if I wasn't an Oracle employee because security is everyone's problem.