GreenSQL's Blog

Is your web environment secure? All of it?

Many people believe that if they’ve installed a network firewall, they’ve done their duty. They think that a firewall is like a strong barrier or moat protecting their information assets and that no more is needed. Wrong! Just as in times of old, tunnels can be dug under the moat, ladders can be used to scale the wall, and secret passageways can be found into the castle.

A web environment has four layers that need protection: the Network level, the Application level, the Operating System level and the Database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.

“That is simply not so!” explains David Maman, CTO of GreenSQL. “Hackers can attack a Web environment at each level independently, and security issues at each level need to be addressed.”

At the Network level, a simple network level firewall does protect the infrastructure (the access to which IP addresses and using which port) but provides very limited protection, if any, to stop attacks at the Application and Database level.

You may have heard of bank websites having their links or text or pictures changed. Website defacement and other Application level attacks take place because someone, at some point in time, wrote sloppy software with security holes. Hackers specialize in using exploits, SQL Injections, and other techniques to attack these vulnerabilities at the code level.

One approach to prevent vulnerabilities is to have a professional code review of the software in use in the Web environment to identify and address coding security issues. Of course, reviews are only as good as the reviewers, and no one should ever review their own code. It’s much too easy to overlook one’s own mistakes.

An additional and important approach is to update all the applications in use and to harden your web and database servers. For example, Oracle has just released 78(!!) security updates in their latest release.

Another option is to use a signature-based approach to spot and then quarantine this kind of attack. Each Application level attack has a “signature” or typical way of operating that identifies it. A comparison of Web Application Firewalls (WAF) shows that some are more effective than others, but none is perfect.

The Database level, the fourth essential layer in a web environment, needs protection from attacks directed at the database. In the end, most of today’s common attacks are aimed at retrieving sensitive information from the database. This makes the fourth layer the most crucial one.

So, for security, check all four: Network, Application, Operating System and Database. To make sure your information assets are protected, your best bet is to use an integrated database security solution that is non-disruptive to existing software and databases, is easy to install and use, and provides extensive management reporting and audit trails, all without degrading responsiveness to users. Inexpensive would be nice.

GreenSQL anyone?

GreenSQL invites you to participate in our May Webinars
MAY 18- Securing Databases in Minutes with GreenSQL Express
MAY 24 – Unified Database Security, the Next Generation of Database Security
Press here to sign
http://hosted.verticalresponse.com/579426/4aa0167718/316941501/bdea25b57a/

Today, to add to the holiday cheer, GreenSQL is launching its breakthrough Unified Database Security solution for everyone’s benefit. 

GreenSQL Express FREE Database Security

GreenSQL Express, our newest security product, is especially designed for the benefit of our open-source community which has been with us for a long time and for small organizations without the budget to secure their critical data. GreenSQL Express currently supports Microsoft SQL Server, MySQL and PostgreSQL and will support additional databases in the future. 

As thanks to its loyal customers, GreenSQL Express can be downloaded to secure a single proxy with an unlimited number of databases – AT NO COST! GreenSQL’s openhandedness will allow database owners to fight back against malicious database break-ins and data theft.

GreenSQL Express FREE edition includes features from GreenSQL’s commercial product line such as:

• Database IDS\IPS
• Learning mode
• Database firewall
• Separation of duties
• Advanced risk scoring matrix
• Database front-end security
• An advanced user interface
•  Real-time database protection

GreenSQL v.2.0 Benefits

GreenSQL Light & Pro commercial products already offer advanced features such as caching, auditing, virtual patching, and database activity monitoring. Now, as part of the new GreenSQL 2.0 version, you will also be able to implement:

1. Separation of duties
2. Policy per table
3. Auditing policy per proxy, database, table and column

GreenSQL v.2.0 refines security policy granularity from the database level to the table level, and even allows audit policy to be defined per column.

Already the leader of installed database security solutions for open databases such as MySQL, and PostgreSQL, GreenSQL is now positioning itself to be the #1 installed database security solution for commercial databases such as MS SQL.

View GreenSQL New Video Tutorials

01. Download and Installation video
02. Activation video
03. Proxy and Database Configuration video  video

We welcome your comments and any suggestions for new features or improvements. info@greensql.com

GreenSQL twitter: twitter.com/greensql
 
Thanks,

The GreenSQL Team

www.greensql.com

GreenSQL- December 2, 2009

GreenSQL has just announced that version 1.2 of its database firewall will provide PostgreSQL databases with the same protection from SQL Injection already enjoyed by MySQL databases. GreenSQL version 1.2 is now available for download as Open Source software from the company’s website at http://www.greensql.net/download

PostgreSQL is a popular Open Source database in wide use by small to medium-sized businesses. Currently, there is no solution, either Open or Closed Source, that provides a database firewall for PostgreSQL databases. As a result, they may be vulnerable to SQL injection attacks, one of the most widespread ways for gaining access to sensitive information stored in a database and/or taking control of a host server.

SQL injection, widely used by criminals, tricks Web applications into providing protected information from a database by exploiting existing queries such as user sign-in verifications to do things they weren’t designed to do. This technique was the method used in the attack on Heartland Payment Systems, where hackers broke into a database of millions of credit card numbers.

The GreenSQL database firewall already prevents SQL Injection attacks on the most popular Open Source database, MySQL. Since its first release 30 months ago, over 25,000 copies of its software have been downloaded, making it the most popular database firewall available, bar none. The addition of native protection from SQL Injection to PostgreSQL databases will broaden GreenSQL’s appeal even more.

More information about the company is available on its website at http://www.greensql.net

Version 1.2 Provides Support for PostgreSQL

GreenSQL version 1.2 is now Available . In this version, GreenSQL providing native support for PostgreSQL databases for the very first time. In fact, GreenSQL will be the only database firewall available for protection of the many PostgreSQL databases currently in use.
With this release, we are proud to be making another major contribution to our Open Source community.
Is Your Copy of GreenSQL Up to Date?
From time to time, GreenSQL releases new versions of its software. This may be for many reasons, including:
* To be in sync with new versions of MySQL
* To add protection from newly discovered SQL Injection techniques
* To fix bugs
* To add new features to the management console
* To provide support for PostgreSQL databases
As users of GreenSQL, you understand the importance of protecting your information from SQL injection. Please take a moment to ensure that you are running the latest version of GreenSQL so that you can continue to have the highest possible level of protection for your databases. Download the latest version of GreenSQL now.
Document Your Compliance
Attacks on large organizations, such as President Obama’s website, are making the news, but do not be misled into thinking that small and medium-sized businesses are not a target. Criminals are now using automated SQL Injection attacks to target unprotected data bases, no matter their size.
There is a large market for stolen personal information. From common data such as addresses and phone numbers, to less accessible data such as lawsuit information and a military record, everything has its price. Do you know what information is being stored in the data bases on your networks?
If you are taking payments on the Web or are storing social security numbers, credit card numbers or other such sensitive information, you may be legally liable for taking steps to secure that information. The PCI Data Security Standard (PCI DSS) for payment account data security, the Health Insurance Portability and Accountability Act (HIPAA) for personal data, the Gramm-Leach-Bliley Act (GLBA) for personal financial information, the Statement on Auditing Standard 70 (SAS 70) from the American Institute of Certified Public Accountants – to name just a few – are standards and regulations that require appropriate measures to be taken to protect information.
If you have the responsibility for protecting sensitive records, we recommend that you document your efforts with GreenSQL Database Firewall.
Download NowGreenSQL DATABASE FIREWALL V 1.2 !
The GreenSQL Team