Preventing SQL injection attacks: A network admin's perspective

SQL injection, an attack vector against Web applications, is well known, and security experts have long warned about its increased use by hackers. As a method of attack, SQL injection -- a security exploit in which someone maliciously adds Structured Query Language (SQL) code to a Web form input box in an attempt to gain access to resources or make changes to data -- only requires network port 80 to be open, one of the few ports through which even a well-configured firewall will allow traffic. Its recent use to compromise servers at Heartland Payment Systems Inc. has caused network administrators to realize what a serious threat SQL injection is and re-evaluate their defenses against it.

The key defense for preventing SQL injection attacks is the use of parameterized stored procedures. When these procedures are used, requests to the database are made using parameters and user-defined subroutines instead of commands being built using values supplied directly by a user. SQL parameters are not only type safe, but they also greatly reduce the likely success of a SQL injection attack.
Database development is outside the purview of most network administrators, but you should insist best practices are followed for safeguarding data on your network.

Although using stored procedures is a must, it's not sufficient. To fight off would-be attackers, a defense-in-depth strategy is essential; otherwise developers are being called on to provide front-line security, and traditionally that has been a challenge for many organizations. Database administrators and application developers should certainly follow best practices, but let's look at what you can do as a network administrator to provide additional protection for database resources.

SQL injection protection: A guide on how to prevent and stop attacks  In this guide, learn how to detect and fix SQL injection vulnerabilities.

Application and database servers obviously need to be hardened and regularly patched, but SQL injection threats can work even against patched systems as they attack the actual Web application -- ASP, JSP, PHP, etc. -- rather than the Web server and the OS it's running on. Sensitive information needs to be encrypted both at rest and in transit over the network, but the most important contribution will likely be the addition of a Web application firewall (WAF) or some variation of an application-layer firewall as an additional defense.

WAFs can provide protection beyond that of traditional network firewalls and intrusion detection/prevention systems. Many WAFs, like those produced by Imperva Inc. and Barracuda Networks Inc., can help prevent attacks such as SQL injection, cross-site scripting and others that target flaws in application logic or technical vulnerabilities in software. The latest WAFs can recognize evasion techniques exploited by attackers using SQL injection, such as obfuscating the attack by encoding portions of the injected command.

Your chosen application-layer firewall should also allow for the creation of filters to intercept, analyze or modify traffic specific to the network. Unusually large requests need to be analyzed and filters should strip out strings commonly used in SQL injection attacks, such as -- and @@version. All such requests can be logged and the source IP address blocked. Better still is a firewall that has the capability to "learn" what is and isn't normal traffic for your particular network and adapt its behavior accordingly. When irregularities are detected, the WAF can shut down potential attacks while they're happening. Also, as SQL injection often takes place via the URL query string, it is important to regularly review Web server's logs to look for anomalous queries that may be injection attempts.

As the network administrator, it is also important to ensure that any accounts that are used by Web applications are granted the least possible privileges. Restricted access will minimize the damage that a successful attack could cause. Web applications should never connect as users with administrative privilege such as "sysadmin" at the server level or "db_owner" at the database level. Microsoft, for example, recommends that during the installation of SQL Server, the service is given a domain account that has its permissions set to only access the necessary resources. That way, if an attacker breaks through an organization's defenses, that person will be confined by the permission set needed to run SQL Server.

Since SQL injection attacks leverage poorly written code, the only way to completely prevent SQL injection attacks is to resolve vulnerabilities in your application's code. However, you can, as a network administrator, make life harder for a potential attacker by adding additional layers of defense that they will have to overcome.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.IN. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network and endpoint security tools and technologies Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Application and Web threat defenses Noted cryptographer on SSL, encryption and cloud computing Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Identity management, authentication and access control solutions Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say How to perform an Active Directory health check Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Security awareness is the key... cultivate employee loyalty Preventing password fatigue with single sign-on (SSO) authentication How to choose online data backup services for data protection Protecting enterprise networks from new mobile application downloads RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.