GreenSQL as an IDS

GreenSQL can operate in combination with a risk profile as an IDS or IPS. The queries themselves do not determine whether a request is allowed but, instead, result in an action taken. Depending on the configuration, the IDS blocks the database connection and informs an administrator of the alleged break-in attempt.

What IDS and IPS systems have in common is that they can detect SQL injections. To do so, they reference a database of known attack patterns compiled by GreenSQL. Additionally, all suspicious inquiries are considered to be SQL injection. In the case of a false positive, you assign the query to the Injection Patterns query group or some other group that GreenSQL accepts as legitimate requests.

Granular risk profiles are also created in Database Security . These profiles are not limited to individual queries but can refer to database operations that relate to servers, security, or databases. The profiles include querying active processes or logs, changing passwords and escalating privileges, outputting databases and tables, or retrieving information on database schemas (Figure 4).

Figure 4: Risk profiles give administrators a granular approach to defining which database operations are allowed and which are not.

Logging and Reports

GreenSQL can notify the administrator for various events. Examples include changes to the system settings, intrusion attempts, or violations of firewall rules. To enable this functionality, you need to set up contact lists and SMTP servers in the Alerts menu. Notifications themselves are just as easy to configure as the rest of the firewall solution. In addition to a descriptive name, you need to specify the alert type and an interval. System , for example, notifies you of newly added or changed policies, Traffic of blocked queries, and Intrusion of all queries suspected of being break-in attempts.

Because many mail messages can accrue very quickly, GreenSQL allows you to group messages for sending, and this is where the interval enters the scene: Instead of sending several messages in short succession, this setting sends a group of messages every few minutes or even hours. If you check the Verbose box, GreenSQL sends you both the alert message and the SQL query that triggered it.

Thanks to extensive logging capabilities, you can quickly find the root cause of any problem. In the case of the Koha library system, GreenSQL had difficulties with the

set autocommit = 1

statement that led to Koha quitting the service with an error message. The solution was to evaluate the log and teach GreenSQL the appropriate query. There are two approaches to manual teaching. Either add the query using the Database Security | Query Groups | Learned Patterns | Create New item, or click on the relevant entry in the log and assign the pattern to a query group.

GreenSQL doesn't just log traffic and intrusion attempts. The software also outputs information about efficiency statistics, system events, or the most popular queries. In addition to its own logfiles, it can, if needed, send selected messages to the syslog daemon; this lets you evaluate them in a monitoring system.

A sophisticated reporting function lets you conveniently process information from the logs. Reports can be used, for example, to document developments or to support decisions. GreenSQL comes with many types of reports in place so that administrators can immediately output which queries take the longest to process, which are requested or blocked most frequently, and from which IP addresses the most intrusion attempts originated. The reports can be exported into PDF or Excel format.

Once GreenSQL is set up, you will want to back up the configuration. You can quickly create a backup with the corresponding menu items in System | Backup & Restore . The backup password is requested only once. It is useful to try a restore immediately after the backup, in this case to make sure no typos have crept into the password. This simple precaution avoids nasty surprises in an emergency.

Conclusions

SQL and code injection are some of the most critical vulnerabilities in web applications (see the OWASP Top Ten 2013 list [3]). GreenSQL gives administrators a tool that is especially useful for protecting mission-critical web applications that (still) have not been intensely scrutinized for vulnerabilities.

GreenSQL is available in a number of variants. Even the Express version provides good basic protection, which is sufficient to protect a company blog or moderately busy shop. The commercial versions offer additional features, such as alerts and reports, keep an eye on who connects to a database, and conceal privileged information.

The GreenSQL security solution is easy to install and put into operation within a short time. Extensive documentation helps if something is unclear. The ability to learn queries automatically saves administrators much work and prevents them from forgetting important requests later on. This minimizes trouble and complaints from users at very early stages. The developers have ensured from the outset that only users from the associated network can connect to the GreenSQL server. It is possible to restrict GreenSQL, without further firewall rules, to a single IP address or localhost. Certificates help to verify the authenticity of the server.

Although GreenSQL cannot protect against all the uncertainties of the World Wide Web, it is a useful security solution that can put an end to attacks at the database level and meaningfully supplement other security measures in the enterprise.