Preventing SQL injection attacks: A network admin's perspective

SQL injection, an attack vector against Web applications, is well known, and security experts have long warned about its increased use by hackers. As a method of attack, SQL injection -- a security exploit in which someone maliciously adds Structured Query Language (SQL) code to a Web form input box in an attempt to gain access to resources or make changes to data -- only requires network port 80 to be open, one of the few ports through which even a well-configured firewall will allow traffic. Its recent use to compromise servers at Heartland Payment Systems Inc. has caused network administrators to realize what a serious threat SQL injection is and re-evaluate their defenses against it.

The key defense for preventing SQL injection attacks is the use of parameterized stored procedures. When these procedures are used, requests to the database are made using parameters and user-defined subroutines instead of commands being built using values supplied directly by a user. SQL parameters are not only type safe, but they also greatly reduce the likely success of a SQL injection attack.
Database development is outside the purview of most network administrators, but you should insist best practices are followed for safeguarding data on your network.

Although using stored procedures is a must, it's not sufficient. To fight off would-be attackers, a defense-in-depth strategy is essential; otherwise developers are being called on to provide front-line security, and traditionally that has been a challenge for many organizations. Database administrators and application developers should certainly follow best practices, but let's look at what you can do as a network administrator to provide additional protection for database resources.

Application and dat...

WAFs can provide protection beyond that of traditional network firewalls and intrusion detection/prevention systems. Many WAFs, like those produced by Imperva Inc. and Barracuda Networks Inc., can help prevent attacks such as SQL injection, cross-site scripting and others that target flaws in application logic or technical vulnerabilities in software. The latest WAFs can recognize evasion techniques exploited by attackers using SQL injection, such as obfuscating the attack by encoding portions of the injected command.

Your chosen application-layer firewall should also allow for the creation of filters to intercept, analyze or modify traffic specific to the network. Unusually large requests need to be analyzed and filters should strip out strings commonly used in SQL injection attacks, such as -- and @@version. All such requests can be logged and the source IP address blocked. Better still is a firewall that has the capability to "learn" what is and isn't normal traffic for your particular network and adapt its behavior accordingly. When irregularities are detected, the WAF can shut down potential attacks while they're happening. Also, as SQL injection often takes place via the URL query string, it is important to regularly review Web server's logs to look for anomalous queries that may be injection attempts.

As the network administrator, it is also important to ensure that any accounts that are used by Web applications are granted the least possible privileges. Restricted access will minimize the damage that a successful attack could cause. Web applications should never connect as users with administrative privilege such as "sysadmin" at the server level or "db_owner" at the database level. Microsoft, for example, recommends that during the installation of SQL Server, the service is given a domain account that has its permissions set to only access the necessary resources. That way, if an attacker breaks through an organization's defenses, that person will be confined by the permission set needed to run SQL Server.

Since SQL injection attacks leverage poorly written code, the only way to completely prevent SQL injection attacks is to resolve vulnerabilities in your application's code. However, you can, as a network administrator, make life harder for a potential attacker by adding additional layers of defense that they will have to overcome.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Network Intrusion Detection (IDS),   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Screencast: Find rogue wireless acess points with Vistumbler How to prepare for a secure network hardware upgrade Screencast: How to launch an OpenVAS scan Wireless network guidelines for PCI DSS compliance Aligning network security with business priorities Scanning with N-Stalker offers basic Web application security assessment Lifecycle of a network security vulnerability Screencast: BackTrack 4 offers an arsenal of penetration testing tools Network access control technology: Over-hyped or underused? Screencast: Smoothwall offers firewall defense in lean times Network Intrusion Detection (IDS) Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation What is the cause of an 'intrusion attempt' message? Network Intrusion Detection (IDS) Research Monitoring Network Traffic and Network Forensics Botnet masters turn to Google, social networks to avoid detection Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.