Shulou(Shulou.com)06/01 Report--

Database firewall seems to be a new security device in recent years, but in fact it has a long history. Oracle acquired Secerno in 2010 and officially released its database firewall product (database firewall) in February 2011, which has been on the market for many years.

Because the term database firewall is easy to understand and comes down in a continuous line with mainstream security products such as firewall, Web firewall and next-generation firewall, many companies name their own data (database) security products as database firewall. Each company has a different definition and focus on database firewalls. In other words, although everyone is talking about the database firewall, it is likely to be two completely different data (library) security devices.

What is a database firewall?

As the name implies, the database firewall is a data (library) security device. From the word firewall, we can see that its main function is to isolate the danger from the outside. In other words, the database firewall should block the intrusion before it reaches the database, at least during the intrusion process.

How do you define the outside?

As for how to define external threats, the database boundary needs to be clearly defined, and the definition of this database boundary is changeable. The first definition, from the point of view of the limit, because the network boundaries are now blurred, all access from outside the database can be defined as external. According to this definition, the task carried by the firewall is very onerous and may not be able to be undertaken by a security device. The second definition is that the data center and operation and maintenance network can be defined as internal access, and other access can be defined as external access, so that the firewall does not need to carry internal operation and maintenance security and employee security, so that it can work better.

Generally speaking, we adopt the second definition, and the database firewall mainly carries the data (library) security work outside the data center and operation and maintenance network.

How do I define a database firewall?

Once you have defined exactly what is external, what is a database firewall becomes clearer. Access outside the operation and maintenance network can be defined as business access.

Database firewall is a security device or product that resists and eliminates data (library) security problems caused by loopholes or defects in application business logic. In general, the database firewall is deployed between the application server and the database server, which is completed by the way of database protocol parsing. But this is not the only way to implement it. You can deploy it outside the database without using protocol parsing. From this definition, it can be seen that the essential goal of database firewall is to patch business applications to avoid affecting data (library) security due to application business logic loopholes or defects.

Common application business logic vulnerabilities and flaws:

1. SQL injection attack

2. Cc attack

3. Unexpected large amount of data return

4. Sensitive data are not desensitized.

5. Frequent similar operations

6. Super sensitive operation control

7. Identity theft and library collision attacks

8. Authentication detour and session hijacking

9. Confusion of business logic

Common Application scenarios of Database Firewall

1. SQL injection attack

SQL injection attack is the core application scenario of database firewall, and it can even be said that database firewall exists to defend against SQL injection attack. SQL injection attack is a very old means of attack, especially after the popularity of the Internet, has been the mainstream means of security attack. It is important to note that SQL injection attacks are not caused by vulnerabilities in the database, but by vulnerabilities and defects in the application, but the database is harmed and affected. Our business applications are written by uneven companies and engineers, and their code quality is far inferior to that of Oracle, Microsoft and other big-name companies, SQL injection and other possible vulnerabilities and defects are inevitable. It can even be assumed that any business application that exceeds a certain degree of complexity will have SQL injection vulnerabilities.

The main reason why it is difficult to defend against SQL injection attacks is that the attacks are initiated through business applications, and all the security measures traditionally deployed are basically ineffective against SQL injection attacks, so that they can easily reach the core database of the enterprise.

2. Cc attack

Even an application without any defects can simply launch a cc attack. Every application will have some operations with high resource consumption, and as long as the intruder schedules these high resource-consuming operations at the same time, it will cause the database server to become unresponsive.

3. Unexpected large amount of data return

Due to defects in the application, a large amount of unplanned data was returned in some operations. A large number of data returns can easily cause security problems.

4. Sensitive data are not desensitized.

Due to historical reasons, existing applications rarely desensitize sensitive data. In order to comply with the new security regulations and rules, and to better protect customers and companies, in many cases we need to desensitize the data returned by the application.

5. Frequent similar operations

Frequent access to sensitive information through applications is one of the main channels for sensitive information disclosure. Database firewall can reduce the risk of such data disclosure through delay, notification and other responses.

6. Super sensitive operation control

Many applications often have access control vulnerabilities and are unable to control some sensitive operations. For example, the unified side, such as the acquisition of top secret information, and so on.

7. Identity theft and library collision attacks

Library collision attack is one of the biggest security risks of the Internet, and most of the library collision attacks are for identity theft.

8. Authentication detour and session hijacking

Due to application defects, the verification security mechanism does not take effect, such as CAPTCHA, or the session is hijacked so that the business application is illegally controlled.

9. Confusion of business logic

Business logic is confused due to application vulnerabilities, such as triggering the next process without checking the existence and compliance of the previous process during approval.

Database vulnerability Detection and Prevention and Database Firewall

We can observe that many database firewalls have the functions of database vulnerability detection and virtual pudding, and even make database vulnerability detection and defense become the core function of database firewall. This is a typical misunderstanding of database firewall. the core of database firewall is to detect and prevent business application vulnerabilities rather than database vulnerabilities.

Of course, database firewall deployment database vulnerability detection also has its logical basis: when intruders invade the database through business application vulnerabilities, especially SQL injection attacks, intruders often take advantage of database vulnerabilities to further attack in order to obtain greater intrusion benefits. From the perspective of tight process, in many cases, database vulnerability attack can be regarded as a link of SQL injection attack, a link of achievement expansion.

Database Firewall and Web Firewall

Web firewall

Many people may ask, Web Firewall can also protect against SQL injection attacks, why should I deploy a database firewall? First, let's see what WAF can do:

1. SQL injection attack

2. XSS attack

3. CSRF attack

4. SSRF attack

5. Webshell back door

6. Weak password

7. Deserialization attack

8. Command / code execution

9. Command / code injection

10. Local / remote files contain attacks

11. File upload attack

12. Disclosure of sensitive information

13. XML entity injection

14. XPATH injection

15. LDAP injection

16. Other

From this list, it is obvious that the targets carried by the Web firewall and the database firewall are quite different, and the SQL injection attack is only a few intersection of the two different firewalls.

Database Firewall is the Ultimate solution of SQL injection Defense

The different deployment locations of database firewall and Web firewall determine that the defense strategies and effects of the two different products against SQL injection attacks will be very different.

Deployment location: Web firewall acts between the browser and the application, and the database firewall acts between the application server and the database server.

Function protocol: Web firewall acts on Http protocol, database firewall generally acts on database protocol, such as Oracle SQL*Net,MSSQL TDS and so on.

The Web firewall acts between the browser and the application, so that it can only see the relevant information submitted by the user, but the information submitted by the user is often only a fragment of the database SQL statement, lacking the global understanding of the database SQL, not to mention the context of the SQL statement. Web firewall can only identify and filter based on conventional abnormal features and existing features, so that the defense effect of Web firewall against SQL injection attacks depends on the level and creativity of attackers. As long as attackers have certain creativity, it is difficult for Web firewalls to defend against SQL injection attacks.

Database firewall acts between the application server and the database server, what we can see is the final complete SQL statement generated after complex business logic processing, that is, the final form of the attacker, which has tore off a lot of camouflage. Due to the lack of change in the final form, the database firewall can adopt more active defense strategies than Web firewalls, such as white knowledge black strategy for abnormal SQL behavior detection and 100% defense against SQL injection attacks. Even if we simply adopt the blacklist strategy similar to Web firewall, because the information we see makes the complete final information, the difficulty of defense is greatly reduced compared with Web firewall, the defense effect will naturally be better.

More access channels

Accessing database through http service application is only a kind of channel and business in database access, and a large number of business access has nothing to do with http. These http-independent services naturally can not deploy web firewall, but can only rely on database firewall to complete.

Summary

1. Database firewall is mainly used to prevent external intrusion risk, which needs to be properly separated from internal security control.

2. The main focus of database firewall is to reduce or eliminate the security risk of data (library) by repairing loopholes and defects in application business logic. SQL injection attack is its core defense risk, while database vulnerability attack detection and defense is not necessary.

3. Because of the concomitant nature of SQL injection attack and database vulnerability attack, database firewall often has the functions of database vulnerability detection and defense.

4. Web firewall can not replace database firewall. Web firewall is the first line of defense of SQL injection attack, and database firewall is the ultimate solution of SQL injection attack.

This article is reproduced from the official account of Wechat, Hangzhou Meichuang Technology Co., Ltd., original author: Liu Zunliang

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.