Network Security

What are Database Firewalls, why are they required & how do they protect databases?

Most of the front end applications rely on a back-end database (like MySQL, PostGRE SQL, etc) to fetch the required data while performing their tasks. Databases are no longer restricted to internal applications in a Local Area Network, as many web based applications rely on them. In this article, let us see what Database firewalls do, where they are deployed,  how they protect database specific attacks and some best practices for securing Database servers.

What are Database Firewalls?

Database Firewalls are a type of Web Application Firewalls that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases.  Database Firewalls also enable to monitor and audit all access to databases through the logs maintained by them. A Database Firewall can generate specific compliance reports for regulations such as PCI, SOX, etc.

Generally Database Firewalls are security hardened appliances/ software that is deployed either in-line with the database server (just before the database server) (OR) near the network gateway (when it is protecting multiple databases in multiple servers). Some Database servers support host based agents that can be installed in the database server itself to monitor the local database events. But hardware based firewalls support host/network monitoring without any additional load on the database servers. Both the hardware appliance and software agents can be deployed to work simultaneously, as well.

How do Database Firewalls protect databases?

The Database Firewalls include a set of pre-defined, customizable security audit policies and they can identify database attacks based on past incidents / threat patterns called ‘signatures’. So, the SQL input statements/ queries are compared to these signatures, which are updated frequently by the vendors to identify known attacks on the database (Many tasks inside a database are implemented as a series of executable SQL statements).

But all the attacks on the databases may not be familiar. So, Database Firewalls build (or come with) white list of approved SQL commands/ statements that are safe. All the input commands are compared with this white list and only those that are already present in the white list are sent to the database. Database Firewalls can also maintain black list of certain specific and potentially harmful commands/ SQL statements and do not allow these type of inputs.

Some Database Firewalls can also identify the database, operating system and protocol vulnerabilities in the databases and intimate the administrator, who can take steps to patch them. Some Database Firewalls can also monitor for database responses (from the DB server) to block potential data leakage. Database Firewalls can also notify the suspicious activities, instead of blocking them right away.

SQL Injection and Buffer Overflow are two common types of Database attacks and Database Firewalls can block such attacks. Sometimes, stolen credentials might result in database hacking attempts, but since Database Firewalls monitor for irregular database activities constantly, such attempts can be identified.

Certain Database Firewalls can evaluate factors like IP address, time, location, type of applications (source), etc from which the abnormal database access requests are emanating and then decide whether to block them or not, based on these factors as per the policies set by the administrator. But, the possibility of False positives and False negatives in Database Firewalls, is an issue.

Some Best-Practices for Database security:

  • Unused accounts could be deleted and shared accounts can be prevented (for database access), as far as possible.
  • Its a good practice to encrypt database contents – especially sensitive contents.
  • Employees and users could be given different privileges for database access (Read Only vs Insert/Delete Records, for example).
  • The privileged user access could be controlled/ restricted to certain parts of the database.
  • In some situations, it might be better to allow users to update a database through authorized applications instead of letting users to update the database directly.
  • Users could be authenticated and authorized using LDAP / RADIUS Servers / Active Directory etc, and their individual access policies could be restricted based on their role defined in these directories.

Open Source Database Firewall: GreenSQL is an open source based free to download database firewall that can be used to protect MySQL and PostGRE SQL databases. Basically, this software acts as a reverse proxy for the SQL connections and monitors all the connections to the database server. This can be deployed in the same server as the database, or in a separate server in-line with the database connectivity.

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’

One Comment

  • Rami

    Data masking especially dynamic could be added to best practices of database firewalls. Something like green sql or offer