Re: [fw-wiz] Protocol inspection



On Mon, 31 Mar 2008, Darden, Patrick S. wrote:

You hit the nail on the head here. You can do the following:

0. firewall (include only specific endpoints for HTTP/SQL traffic)
1. stateful (helps defeat MITM attacks/interceptions/stream injections on the HTTP/SQL streams)
2. packet inspection (make sure port 80 is http traffic, 1443 is SQL, etc.)
3. content filtering (reflexive IDS (called Intrusion Prevention (IP) by some products like Astaro) e.g. utilizing Snort ruleset to create on the fly filters based on content)

I don't know of a level 4 above, which would be:

4. application proxy (SQL proxy that filters out all queries by default except those that match specific criteria, i.e. a SQL whitelist ruleset)

I think if someone did make such a beastie, it would make waves. It
would probably have to be tightly bound into a Web Proxy, maybe a module
for a pre-existing Web Proxy like Apache or Squid. You would think that
with SQL injection being such a large vector of attack, this would have
already been addressed. Checking Google I can only find stuff like
this:

there are some companies that make products that work in this space. some
require you to produce whitelists, some auto-learn 'normal' traffic and
block 'abnormal' traffic

they are expensive, and their configuration (such that I've seen) is a
nightmare. I won't start naming companies at the moment, but I may have
suggestions in a few months.

David Lang

Introducing mod_security http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html
(includes a blacklist version that prevents two specific SQl injection attacks, almost useless)


Securing Apache: Step by Step http://www.securityfocus.com/infocus/1694
It is worth emphasizing that the above model doesn't support PHP, JSP, CGI or any other technologies that make it possible to interact with Web services. The use of such technologies may pose a large security threat, so that even a small, inconspicuous script can radically decrease the server's security level. Why? Primarily, ASP/CGI applications may contain security vulnerabilities (e.g. SQL injection, cross-site-scripting). Secondarily, the technology itself can be dangerous (vulnerabilities in PHP, Perl modules etc.). That's why I strongly recommend using such technologies only when an interaction with a Web site is absolutely necessary.


20 ways to Secure your Apache Configuration http://www.petefreitag.com/item/505.cfm
(no mention of SQL injection at all)

etc.

If someone knows of one, please speak up!
--Patrick Darden




-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Josh
Sent: Friday, March 28, 2008 1:58 PM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Protocol inspection


I have a question, that is hopefully approriate for
this list, related to application inspection (whatever
the vendors call it now).

We recently had some problems with SQL injection, and
I have been asked to look at whether our equipment can
stop the attacks. My knowledge about the attack is
that there isn't a generic way to block the traffic,
since a firewall can't differentiate between valid
post data (to a forum, for example) vs one that is an
attempt to use injection.

If this is the case, any vendor's protection will just
amount to responses to know attacks, and I could just
as easily create a filter on my own that stops some
portion of attacks (since I know better what data my
webservers expect).

Is this a reasonable path to go down, or is there more
functionality in vendor responses to and protection
against SQL injection?

Thanks,
Josh


____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: LSADump2 Crashing Systems
    ... Audit your website security with Acunetix Web Vulnerability Scanner: ... to SQL injection, Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: SQL Smuggling
    ... of SQL Injection that has not received attention till now. ... "This paper will present a new class of attack, called SQL Smuggling. ... Relying on data validation alone will eventually land you in hot water. ... As for attacks against signature validation... ...
    (Bugtraq)
  • RE: XPath injection doubt
    ... As the entire query is likely in with Xpath, unlike sql. ... I am learning the XPath injection technique. ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)
  • RE: [PHP] SQL security
    ... > Doesn't MySQL automatically protect against attacks like SQL ... SQL injection attacks that attempt to terminate the current query and execute ...
    (php.general)
  • XPath injection doubt
    ... I am learning the XPath injection technique. ... I noticed that the equivalent string in SQL Injection would have been shorter: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)