GreenSQL's Blog

GreenSQL invites you to participate in our May Webinars
MAY 18- Securing Databases in Minutes with GreenSQL Express
MAY 24 – Unified Database Security, the Next Generation of Database Security
Press here to sign
http://hosted.verticalresponse.com/579426/4aa0167718/316941501/bdea25b57a/

Hi Everyone,

I would like to personally invite you to a GreenSQL Express Webinar,
I’ll be demonstrating GreenSQL Express, the free and simple way to keep your information private and safe.

On Wednesday, March 16th (just 2 weeks from now),
It’s called “How to Protect Sensitive Information in Minutes: Setting up GreenSQL Express with Basic Security Rules”

If you’re serious about protecting your data, you need to hear and see how it’s done. I’ll talk about:

1. Why you need a Database firewall / security solution
2. Where and How to install GreenSQL Express in your infrastructure
3. How to use GreenSQL Express to protect you database
4. How to create the security polices you need in minutes
5. How to protect your database from SQL injection attacks
6. How to implement a separation of duties in your database access
7. How to maintain business continuity with the Database Fallback feature
8. Q&A..

Again, this is happening online on Wednesday, March 16.
Use the link below to register and find the time in your time zone.

Register for a webinar, Click here to register:

Don’t miss it!

David

From the Security threat report 2011 by Sophos, Page 46:

“Cybercrime is encroaching more and more into the business space. Industrial espionage, spearphishing of important employees to breach network boundaries and mass theft of customer information are more diffcult to detect and have very serious consequences. At the same time, network boundaries are becoming ever more indistinct and porous as new technologies enable greater access from remote workers and mobile devices. In addition, legal requirements place greater emphasis on traceability and compliance with predefned standards of data hygiene.

Increasing amounts of sensitive data is stored, accessed and manipulated in databases connected to company websites as businesses increasingly interact with their customers through the Internet. As a result, it’s become as easy to access these databases as it is to access the main doors at corporate headquarters.

Security administrators face a constant battle to maintain usability, while preventing penetration from the outside and data loss from within. Alongside protecting network boundaries, businesses and website maintainers are under growing pressure to ensure that their web presence provides adequate protection for the users of its web services.”

As time passes, organizations realize that Web Application Firewalls (WAF) are not sufficient to secure their back end databases.

GreenSQL Express provides a free, commercial grade solution to protect MS-SQL, MySQL and PostgreSQL databases from known and unknown threats. GreenSQL Express includes:

- Database Intrusion Detection and Prevention System
- Database Firewall
- Separation of Duties
- Advanced Risk Scoring Matrix
- Database Front-end Security
- Real-time Database Protection

Get a free copy of GreenSQL Express at www.greensql.com


New Community version of GreenSQL Database Firewall, version 1.3 is now available.
GreenSQL 1.3 includes new features, many bug fixes and enhancements.

In this version, GreenSQL improvers the native support for PostgreSQL (http://www.postgresql.org) databases, improvers the native support for MySQL (http://www.mysql.com) databases and provides many Protocol and Network Optimizations. The Web Based GUI usability has been improved and many bugs been fixed.

GreenSQL community version 1.3.0 improvements and enhancements include:

1. Proxies dashboard: correctly displaying the proxy current status
2. Proxies automatic reloading fixes
3. Alerts include User IP Address
4. MySQL and PostgreSQL protocol fixes
5. Network optimizations
6. Alerts – redesign and graphics
7. Whitelist – redesign and graphics
8. It’s now possible to remove an alert
9. It’s now possible to move a whitelist back to alert
10. The footer was fixed

GreenSQL recently released its first commercial versions, GreenSQL Pro and GreenSQL Light, GreenSQL solutions are designed for small to large organizations assists to increase database security, performance and compliance.

With many new and exciting features, including but not limited to:

- Microsoft SQL Server (2000/2005/2008) support
- Full support for MySQL 4.x/5.x and PostgreSQL 7.x/8.x
- Database Caching (for all databases)
- Database SSL support (for all databases)
- Superior SQL Injection detection and prevention mechanism
- Brand new interface with full scale policy approach
- Database activity monitoring and Full Auditing (includes the before and after view of every change)
- Unparalleled performance and reliability
- Auto update service for the latest attack definitions updates
- Advanced Reporting, Logging and alerting
- Available for Windows and Linux installations (32 and 64 bit)

GreenSQL Pro is available for 30 days free evaluation at: https://portal.greensql.com/download

#1 Database security software

We are proud to announce that over 95,000 copies of GreenSQL have been downloaded internationally since its first release only 48 months ago – more downloads than any other database security vendor.

Thank you for your confidence in our software. Clearly, you have approved of our efforts and have been spreading the word about the GreenSQL database firewall.

GreenSQL official web site:
http://www.greensql.com

GreenSQL Community web site:
http://www.greensql.net

You can get the latest GreenSQL version from the following url:
https://portal.greensql.com/download

An application installation howto is available at:
http://www.greensql.net/howto

For any questions, ideas, and feedback, please join our support forum at:
http://www.greensql.net/forum

GreenSQL twitter:
http://twitter.com/greensql

Thanks,
The GreenSQL Team
http://www.greensql.com

We are proud to announce the release of GreenSQL Pro and GreenSQL Light, our first commercial Unified Database Security solutions, designed to provide all organizations – from small and medium businesses all the way to large enterprises – robust database security at an affordable price.

“Commercial Unified Database Security solutions” is a mouthful. Let’s look at what that means.

For us, commercial has several meanings. First, we have designed GreenSQL Pro for commercial organizations; second, we charge a modest fee for it; and third, unlike our open source code, we take full responsibility for it.

How about unified? To be unified, something must first have parts. GreenSQL Pro and GreenSQL Light include many aspects of database security within them, all contributing to their primary mission: securing databases. We’ll be discussing some of those aspects below.

And of course, there’s database. GreenSQL Pro and GreenSQL Light protect MySQL, PostgreSQL and Microsoft SQL Server. As time goes on, we will undoubtedly expand the number of databases that they guard.

Unfortunately, the definition of security solution is a moving target. As long as there are black hats in the world, achieving security will require us to stay alert and responsive to new threats. We at GreenSQL stand guard on the front lines so that you, our users, can go about your businesses in a less stressful and more productive environment.

GreenSQL Light and GreenSQL Pro are security solutions that are simple to implement, effective in protecting your business information assets and will not break your budget.

Press Release on GreenSQL’s New Commercial Products

See what the rest of the world is reading about GreenSQL PRO and GreenSQL Light. http://www.greensql.com/press

The Cost of Database Breaches

Our groundbreaking news is even more significant in the context of the following numbers.

Studies by Verizon and the Ponemon Institute show that in 2008, 285 million records were breached at an average $202 per record cost. But according to a more recent Symantec study, when the records contained personally identifiable information, the cost soared to an astounding $11,000 per record!

With the cost of database breaches reaching such astronomical heights, securing databases has become essential for ensuring business survival.

GreenSQL Pro and Light Protect Microsoft SQL Server

Today, we are proud to announce that GreenSQL Pro and GreenSQL Light are able to secure Microsoft SQL Server databases from both accidental and malicious intrusions. This is a major milestone in our mission to protect the world’s databases from SQL injection attacks.

Microsoft SQL Server’s current market share stands at more than 20%.
It has made major inroads into small companies and into departments of larger ones. GreenSQL Pro and GreenSQL Light provide cost-effective solutions to legislative compliance and security needs.

Some GreenSQL Pro Features and Benefits

GreenSQL Pro has many excellent features – too many, in fact, to detail completely here. However, we would like to draw your attention to the following four.

Virtual patching. Virtual patching is a simple but powerful feature that immediately protects organization database servers against database application exploits even before patches are installed.

Because patch installation sometimes involves taking a database or server down for a period of time, organizations may choose to risk breach rather than incur downtime,  collecting patches and installing them as a group on a monthly, quarterly, or even annual basis.

Virtual patching enables organizations to eliminate the risk in this timing decision! As soon as we get the patch from the responsible party, we update the GreenSQL Pro database firewall with the signature of the specific exploit and we block it. Our clients’ copies of GreenSQL Pro are updated automatically without affecting their operations and their databases are immediately protected.

Caching. By recognizing query recurrence within various timeframes, GreenSQL’s proprietary, patented caching algorithm improves database performance in all configurations. In those that use many resources, such as audit functionality or reporting, it reduces latency; in others, it can actually improve database performance.

Auditing. GreenSQL Pro’s audit function has a finer granularity than even the leading enterprise level security leaders. It can differentiate between the last action and the update action.

Policy-based firewall. GreenSQL Pro is a policy-based firewall at a very deep level. For each of the three modes – learning mode, risk-based IDS/IPS mode, and firewall mode – a protection profile can be created by type of database, for a specific database (or many), and/or by table (or many). In addition, these policies can be enforced for any groups defined on a server.

Click hear to download GreenSQL Pro – Download

We are offering this comprehensive package of features for GreenSQL Light at an extremely affordable $147 per server per month for those making an annual commitment. A perpetual license for GreenSQL Pro can be purchased for only $3,997 per server.

And please note that a single instance of GreenSQL Pro installed as an appliance can secure multiple databases simultaneously. As you can see, we have made GreenSQL Pro not only effective, but very affordable.

A Thank You to Our Early Open Source Adopters

GreenSQL Pro was built on the foundation of our open source GreenSQL product. Our new product exists in great measure because you and tens of thousands of others adopted GreenSQL software for protecting your own databases and stuck with us through our growing pains. We would like you to reap the rewards of your belief in us.

As a special thank you for your thoughtful contributions, suggestions and ideas, we are offering you, our open source users, the opportunity to move to GreenSQL Pro & get a FREE 3 month extension to your GreenSQL Pro license.  - For your special benefit, contact us here.
Click hear to download GreenSQL Pro

For more information on GreenSQL Products and their features, benefits, and cost, please visit our new site www.greensql.com
We welcome your comments and any suggestions for new features or improvements.

GreenSQL twitter: twitter.com/greensql
Thanks,
The GreenSQL Team

GreenSQL version 1.2 offers PostgreSQL database support for the first time.

It turns out that since the official release, less than a month ago, GreenSQL reached number three in the delicious top PostgreSQL links.

It shows that the GreenSQL became among the most popular tools for developers and admins of  PostgreSQL.

GreenSQL Database Security Solution for PostgreSQL

GreenSQL is the only solution (open or closed source) which provides Database Firewall for the PostgreSQL Database.

Since the early days of GreenSQL, many people have written us asking why exactly they should implement a database security solution if they have already hardened their web application and are using a web application firewall, like mod_security, or even a professional closed source web application firewall such as Imperva, Breach, or F5.

The answer is not as simple as you may think, and I’m not going to preach to you about the great advantages using GreenSQL in front of your MySQL or PostgreSQL Database.

I’m going to highlight a few obvious current situations which will help you see the full picture of your Database security needs.

What is the core of the company?

When you come right down to it, the Database, eventually, is the core of your company or organization. All the information that the company is built upon is located in the Database. Without it, your company or organization cannot exist and it doesn’t matter if it’s an Enterprise, Large, Medium, or Small or even just an e-commerce business. The Database is the core of your company.

Today the market is leading us to the beauty of SaaS (Software as a Service) solutions to provide most of our needs. With SaaS, all of our information is located on some SaaS’s Database.

Who is using the Database?

The Database is used by many sources that can be divided into two main categories:

Automated connections, which mostly include:
- Backup and replications
- ETL: Extract, transform, load, a common data warehousing process
- Interconnect
- Testing
- Data Load / Data Unload
- Application Integration
- Reporting services
- Etc.

And User Connections, which mostly include:
- Developers
- Administrators
- Application users (Web applications and other applications)
- Monitoring
- Casual users
- IT Personnel
- Etc.

As you can see for yourself, there are many sources connecting to the Databases, automated or user–based, and all them must be verified, inspected and controlled.

SQL Injection

Without a doubt, among the current biggest security threats is SQL Injection. It’s caused a major Buzz for a while now. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. Using a direct connection to the web application provides the option of running commands over the Database itself. We’ve all heard about the latest SQL injection attacks on websites belonging to Symantec, President Barack Obama, Wall street journal and many others as well.

As time passes, we see the level of SQL injection sophistication increasing and becoming even more threatening, SQL injections are now part of the automated Worms and Trojans arena. The latest large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. After some research we’ve noticed that this specific attack was preformed mostly on Microsoft IIS:

The image above shows that the vulnerable injected frame was found mostly on dynamic asp websites (available on Microsoft IIS).

The Web application frontier

The web application frontier is among the most threatening to our Databases, but it’s not the only one.

The web application may be secured using a closed or open source web application firewall. Unfortunately, as time passes, major companies and organizations that implemented a web application firewall, for some reason, mis-configured it, or missed updating it, or were successfully attacked using SQL Injections simply because the solution was inadequate.

Many people are sure that coding securely is the only solution required, but almost every application uses legacy code, and sometimes just a few faulty lines can lead to a successful SQL Injection attack.

Among the major problems of a web-based SQL Injection attack is the option to continue the attack to additional servers. If someone has successfully attacked your Database using SQL injection, by using CMD_Shell and other commands, he can gain control of your server, and from this specific server, gain control over your entire network.

There are many attack tools which automate this process of gaining control of the Database server, such as the  SQL Ninja and others, which also provide a video demo that show’s how easy it is taking control of your Database server.

Achieving Sarbanes-Oxley compliance requires visibility and control over business applications and databases – including monitoring the actions of privileged database users.

Database Firewall and the GreenSQL approach

The GreenSQL solution is a secured SQL reverse proxy solution, which during the reverse proxy process provides you the option of enforcing database security. GreenSQL helps you prevent SQL-based attacks, whether they are Web application based or not. And it’s easily implemented.

After setting up and implementing the GreenSQL Firewall, none of your connections, automated or not, should connect to the Database directly. You can easily Implement the GreenSQL solution in a DMZ zone on your Firewall, and allow traffic to the Database from the GreenSQL machine only. From then on, you can be sure that no other source will connect to your Database without inspection and control by the GreenSQL solution.

GreenSQL provides you the option of installing the GreenSQL Database firewall on the Database itself, or on a dedicated server (virtual or physical), so you are not limited.As time passes we’ve witnessed that more and more web sites adopts GreenSQL to defend against any SQL based attacks.

For example you can check out http://fak3r.com which also wrote a real nice article about GreenSQL and why he decided to use it.

We have published an article titled 10 reasons why you should use GreenSQL, check it out.

Information security is an on going process, not a specific product or solution.
Now, with GreenSQL your Database can be part of this process.

GreenSQL- December 2, 2009

GreenSQL has just announced that version 1.2 of its database firewall will provide PostgreSQL databases with the same protection from SQL Injection already enjoyed by MySQL databases. GreenSQL version 1.2 is now available for download as Open Source software from the company’s website at http://www.greensql.net/download

PostgreSQL is a popular Open Source database in wide use by small to medium-sized businesses. Currently, there is no solution, either Open or Closed Source, that provides a database firewall for PostgreSQL databases. As a result, they may be vulnerable to SQL injection attacks, one of the most widespread ways for gaining access to sensitive information stored in a database and/or taking control of a host server.

SQL injection, widely used by criminals, tricks Web applications into providing protected information from a database by exploiting existing queries such as user sign-in verifications to do things they weren’t designed to do. This technique was the method used in the attack on Heartland Payment Systems, where hackers broke into a database of millions of credit card numbers.

The GreenSQL database firewall already prevents SQL Injection attacks on the most popular Open Source database, MySQL. Since its first release 30 months ago, over 25,000 copies of its software have been downloaded, making it the most popular database firewall available, bar none. The addition of native protection from SQL Injection to PostgreSQL databases will broaden GreenSQL’s appeal even more.

More information about the company is available on its website at http://www.greensql.net