--On Thursday, January 10, 2008 15:32:28 +0530 GMail <mayur100@gmail.com> wrote:
Thanks Jamie and Stefano for noticing my issues,
90% of commercial database specific IDS/IPS systems do "signature
matching" exploit detection. They are stateless and mostly based on
snort. So does this mean that all they can do is stop public exploits.
If someone modifies the exploit then the signatures will fail and by
that means the appliances too ?
That depends greatly on the signature. All signatures are not created equally.
For example, using snort it is possible to write a signature that checks first
for the protocol, then the application, then the specific function and then the
size of the data. That type of signature will never false positive and will
always trigger on a buffer overflow regardless of the content of the data.
Many people think of signatures as simple regex that can be easily defeated by
using hex or base64 or some other form of obscuration. Snort has ability to
normalize all those things *before* the regex is run, defeating the attempt to
hide what's going on.
Limiting privileges to minimum required levels and installing minimum
required of modules on databases will definitely reduce the risk ratio,
but is it sufficient?
There are certain basic principles that should be followed when setting up and
configuring databases:
1) Always only listen on the networks that are needed. E.g. db on the same box
as web server? Listen on a socket or localhost only.
2) Only grant access to a db for a user @ a specifc host.
3) Never grant more access than is needed to do the job. Most web apps
probably will work fine with select,insert and update permissions only.
4) Don't use the same user account for multiple dbs.
5) Don't put credentials in an other-than-db readable text file.
What about vulnerabilities by which normal user
can get superuser privileges or carry out DOS on database services. Is
there any way to stop these kinds of attacks? Which would be the best
available database security product to handle all these issues?
That depends greatly on what OS, applications and db you're using.
Mod_security is a good choice for apache, for example, and can stop db attacks
before they even get to the web server (much less the backend.)
--
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
