| Get this Security+ CertiGuide for your own computer. |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Also available: 300-question Security+ practice test! |
| Get It Here! |
|
|
3.5.3.9.2 Databases
(Page 2 of 3)
Database Firewall Protection
In addition to considering the server
itself, you should also consider how the database talks to the rest
of the world. Does it, like SQL Server, listen on a well-known port
for incoming connection requests? If so, does your firewall allow
traffic in-bound from the Internet to that port on that machine? There’s
almost no good reason to do so. In fact, ideally, there are rules
in place on your network to allow your web server and perhaps some internal
workstations to connect to the database server port – and disallow
access to it by everyone else.
![[spacer]](1p.gif)  ”Select” Issues
Many web applications are written to build database commands (in the SQL language used by most databases) from certain keywords like “SELECT” and input that is provided by a user via a web form. Often the provided input is simply copied into the database command as it is being built, without checking to see that the web form data would actually be valid, and then submitted to the database to be run. As with stored procedures, it is possible to creatively construct web form data so that it actually embeds additional attacker-specified database commands into the original command. The database sees the additional database commands and not knowing they’re not legitimate requests, executes them – and gives the hacker a map of the database, deletes your customer records, changes item prices, etc. This particular attack is known as SQL injection. Even in late 2002, SQL injection is still possible on many commercial sites. While it’s beyond the scope of this book (we’re not writing a programming book, after all) to describe exactly how these flaws are taken advantage of, or how to write code that guards against them, other sources for this information exist, such as Writing Secure Code383 by Howard and LeBlanc.
|
 Databases and Ports
Research the TCP/IP port(s) used by your database server software, and set up appropriate ACLs to restrict access to those ports on the database server, to only those systems that require access.
For example, if SQL Server is your database, only allow inbound access to the database server machine TCP ports 1433 and 1434 from your web server and a minimal number of trusted internal hosts.
|
__________________
383. Howard, Michael and David LeBlanc, Writing Secure Code, Microsoft Press, November, 2001, http://www.nerdbooks.com/item.html?id=0735615888
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
