Database Firewall with Snort
Narudom Roongsiriwong
WhoAmI
Lazy Blogger
• Japan, Security, FOSS, Politics, Christian
• http://narudomr.blogspot.com
Food Lover
• Steak, Yakiniku, BBQ
• Sushi (especially Otoro)
• All Kinds of Noodle (Spaghetti, Ramen, Udon, Kanomjean)
Head of IT Security, Kiatnakin Bank PLC (KKP)
Agenda
What Are Database Firewalls?
Are there Open Source DB Firewalls?
What & Why Snort?
Implementation
Concerns
Q&A
Web/Web Services
Cu
stom
A
pp
licatio
ns
Bu
sin
ess
Ap
pli
cati
on
s
How Databases Accessed?
Direct Access via Database
Protocols
• DBAs via query tools
• Fat client applications
Three-tier applications
• Internal users via Business
applications
Web applications
• Internal & External users via
browser interfaces
Application Interfaces
• Applications via Web
Services Interfaces
Browser Browser
DBA
SQL
Data
Thin Client 3 Tier App
Thick Client 2 Tier App
Thin Client 3 Tier App
Application Interface
What are Database Firewalls?
Application Level Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases.
Deployed either in-line with the database server (OR) near the network gateway
Database Firewall Functions
Policy Functions Details
Whitelist
Access Control
IP address, DB user, schedule (time)
IP address group, DB user group
Security policy group
Authority Control
Control by objects (Table, View)
SQL operation (DML,DDL ,DCL)
SQL sentence
Profile
Automatic security policy by self learning SQL query
Positive security based automatic Authority policy by Authority
Profile
Control SQL sentence form by Form Profile
Backlist Pattern Rule Block/detect the user defined query pattern
Column Rule Block/detect the specific column of object
Audit Archive &
Analysis
Logging all the SQL query.
Analyzing audit log & security log
Management
Central management for a several
Analyzing the database traffic & network traffic
Monitoring system usage
Are there Open Source DB Firewalls?
GreenSQL
• Cross Platform
• Rapid Deployment
• Well established
• Web application independent
• The only free security solution for MySQL
• User Friendly WEB GUI/Management tool
What is Snort?
Open source, freely available software except for rules
Support Windows, Linux and Solaris
Sensors/actuators in a network
Signature based IDS/IPS
Rules defined to take certain action after matching (atomic or composite)
• Example:
• alert tcp $HOME_NET any -> $EXTERNAL_NET any (content:"uk.youtube.com”;msg:"someone visited YouTube";)
Snort: Capabilities
Four modes of operation
• Packet Sniffer mode
• Packet Logger mode
• Network Intrusion Detection Mode
• Network Intrusion Prevention
Inline (IPS) Mode
• Configure Snort to receive packets from iptables rather than libpcap.
• Separate capability that must be explicitly installed.
• Adds 3 new rule types
• Drop – iptables drops packet and snort logs
• Reject – iptables rejects packet and snort logs
• Sdrop – iptables will drop packet. No logging.
Why Snort?
Open Source
Low cost hardware implementation
Ready to use Linux distribution out there
• SmoothSec
• Security Onion
Partial DB Firewall function implementation
Database Firewall Functions by Snort
Policy Functions Details
Whitelist
Access Control
IP address, DB user, schedule (time)
IP address group, DB user group
Security policy group
Authority Control
Control by objects (Table, View)
SQL operation (DML,DDL ,DCL)
SQL sentence
Profile
Automatic security policy by self learning SQL query
Positive security based automatic Authority policy by Authority
Profile
Control SQL sentence form by Form Profile
Backlist Pattern Rule Block/detect the user defined query pattern
Column Rule Block/detect the specific column of object
Audit Archive &
Analysis
Logging all the SQL query.
Analyzing audit log & security log
Management
Central management for a several
Analyzing the database traffic & network traffic
Monitoring system usage
Management Add-On for Snort
PulledPork: Snort Ruleset Management
Squert: Analyze Alert
Sguil: Network Security Monitoring
Snorby: Network Security Monitoring
ELSA: Enterprise Log Search and Archive
Implementation
eth0
Fixed IP for Management
No IP, from User PCs
eth1
No IP, to Database Servers
eth2
SmoothSec
Lightweight and fully-ready IDS/IPS Linux distribution
Based on Debian 7 (wheezy)
Available for 32 and 64 bit architecture.
Includes the latest version of Snorby, Snort, Suricata, PulledPork and Pigsty.
Easy setup process allows to deploy a complete IDS/IPS System within minutes
Last Update: 2014-01-28, required new Linux kernel for new hardware (in this case LAN cards)
SmoothSec: Installation
Scenario: Read only for Developers
Cause: Developers knows database privilege usernames and passwords on legacy systems
Environment: UAT
Settings: Blacklist DDL, DCL and all DML except“SELECT”
Explanation
DML: Data Manipulation Language
• SELECT, INSERT, UPDATE, DELETE, MERGE, UPSERT, CALL, LOCK
DDL: Data Definition Language
• CREATE, ALTER, DROP, TRANCATE, COMMENT, RENAME
DCL: Data Control Language
• GRANT, REVOKE
Example Ruleset: Block DDL
######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Database ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Database"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+DATABASE/i"; sid:2015052206) ######### Block Alter Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: ALTER"; flow: to_server, established; content:"ALTER|20|"; nocase; pcre:"/ALTER.+TABLE/i"; sid:2015052204)
Example Ruleset: Block DCL
######### Block Grant ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Grant"; flow: to_server, established; content:"GRANT|20|"; nocase; pcre:"/GRANT.+ON/i"; sid:2015052211) ######### Block Revoke ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Revoke"; flow: to_server, established; content:"REVOKE|20|"; nocase; pcre:"/REVOKE.+ON/i"; sid:2015052212)
Example Ruleset: Block DML
######### Block Insert Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: INSERT"; flow: to_server, established; content:"INSERT|20|"; nocase; pcre:"/INSERT.+INTO/i"; sid:2015052201) ######### Block Update Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: UPDATE"; flow: to_server, established; content:"UPDATE|20|"; nocase; pcre:"/UPDATE.+SET/i"; sid:2015052202) ######### Block Delete Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command Oracle: DELETE"; flow: to_server, established; content:"DELETE|20|"; nocase; pcre:"/DELETE.+FROM/i"; sid:2015052203)
Example Ruleset: Block Privilege Users
######### Block Privilege Users ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Drop privilege user"; content:"USER=SYS"; nocase; sid:20150520)
Example Ruleset: Block Specific Software
########### Disallow Toad.exe ######### reject tcp $UAT_NET any -> $DB_NET any (msg:"Disallow Toad.exe"; flow:to_server,established; content:"Toad.exe"; nocase; sid:2015062901)
Concerns: Unicode
UTF-8: No problem
UTF-16: ANSI pattern unable to match.
######### Block Create Table ######### drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command: Create Table"; flow: to_server, established; content:"CREATE|20|"; nocase; pcre:"/CREATE.+TABLE/i"; sid:2015052205) ######### Block Create Table, UTF-16, Little Endian ######## drop tcp $UAT_NET any -> $DB_NET any (msg:"Block SQL Command UTF-16LE: Create"; flow:to_server,established; content:"C|00|R|00|E|00|A|00|T|00|E|00 20|"; nocase; sid:2015052705)
Other Concerns
No return result on IPS drop, causes disconnection on some software
Dual-Port Ethernet adapter with bypass function may be required (with expensive cost)
Implement ruleset rotation to cover scheduling feature.
Special Thanks
Amornsak Ruangtang
IT Security, Kiatnakin Bank PLC.
CEH, SEC+, MCITP, CCNA