Database Intrusion Prevention from the Perspective of Murphy's Law
Release time:
2019.07.12 | Source:
Palladium
With the development of network informationization, corporate organizations’ attention to network security has gradually shifted from physical security, boundary security, and system security to business security and data security. The cost of business data security protection has accounted for the cost of corporate IT budgets. More than half. Especially in the new era, new situation and new business form of Internet security, the information security department has gradually become the first-level department of the enterprise organization, and enterprise data has become the core asset of the organization, and the protection of data has been written into the basic strategy of the enterprise.
There are many tasks in the security protection of data assets for enterprises: data backup security, data storage security, data desensitization and encryption, etc. Among the people with a view of business security focusing on usability, most of them have not fully understood the importance of database security. According to forward-looking statistics, more and more corporate information security leaders have begun to include database security subdivisions. Your own cheat sheet. Business continuity is the fundamental core of an enterprise organization, and business security and data security are the security guarantees for the long-term development of an enterprise. At the moment when enterprise data assets are the core competitiveness, the database is the "core competitiveness" of the enterprise organization-data assets- -The container, which carries the core data of the enterprise, has become the infrastructure for business operation and data protection. Solving the security defense problem of the database has jumped to the top of the CTO/CIO work content quadrant.
1、
What security threats the database faces
The database system of an enterprise organization is not just the database software platform itself. Data that does not flow is meaningless. When we consider database security, obviously we need to reasonably evaluate the size of the attack surface of the database; the authentication, authorization, and authentication involved in database access Audit issues; software vulnerabilities caused by the negligence of developers and potential risks caused by poor management of operation and maintenance personnel. It is not difficult to find that in actual operation and maintenance, various risks may arise and bring terrible consequences. The author's laboratory has compiled a list of top ten database risk threats for database application defense by collecting feedback database security information from various vulnerability platforms and corporate security operators, referring to OWASP TOP 10.
2、
Will database security risks occur?
The answer is Murphy's Law, which states the fact that if something has the possibility of getting worse (happening), no matter how small the possibility is, it will always happen.
Edward A. Murphy is a captain engineer at Edwards Air Force Base in the United States. In 1949, he and his boss, Major Stapp, had an accident due to instrument failure during a rocket retrograde and overweight test. Murphy discovered that the measuring instrument had been installed upside down by a technician. From this, the lesson he drew is: if there are multiple ways to do a certain job, and one of them will cause an accident, then someone will do it this way.
At a press conference after the incident, Stapp called it "Murphy's Law" and rephrased it in a very concise way: everything that can go wrong, it will definitely go wrong. The scope of application of Murphy's law is very wide, and it reveals a unique social and natural phenomenon. Its extreme statement is: if something bad is possible, no matter how small the possibility is, it will always happen and cause the greatest possible damage.
This law is also applicable in the technical world. It is not that I want to impose it in the field of database security, just because it states a law that security risks will inevitably turn from possibility to suddenness.
3、
Analyze database security based on Murphy's law
To observe database intrusion prevention through Murphy's law, we must take a positive attitude. Since database security risks are inevitable, we must comply with the inevitability, actively respond to incidents and deal with incidents. In terms of database security defense, a comprehensive and active response plan must be planned scientifically and rationally, and active defense before the event, timely blocking during the event, and complete audit after the event must be achieved.
According to Murphy's law, the enlightenment for database intrusion prevention can be summarized:
1、
cannot ignore the small probability event of database risk
Although database security incidents continue to occur, there are still a certain number of security leaders who believe that enterprise security protection has been multi-defense from the physical layer, network layer, computing host layer, application layer, etc., strict access control at the network boundary, external threats Intelligence and internal situational awareness systems can work together perfectly. Business data has already been protected layer by layer, and security threats cannot be exploited to cause database security incidents.
The reality is: because the possibility of a small probability event in an experiment or activity is very small, it gives people a wrong understanding that it will not happen in an activity. Contrary to the facts, it is precisely because of this illusion that the possibility of incidents is increased, and as a result, accidents may occur frequently. Although the cause of the event is complicated, it shows the objective fact that small probability events often occur.
Murphy's law enlightens us from the perspective of emphasizing the importance of small probability events: Although the probability of database security risk events is very small, in the activities of intrusion prevention system, it can still happen and will happen, so it cannot be ignored.
2. Actively apply Murphy's law in database security
1. Strengthen the security awareness of database intrusion prevention
The database has become the core of enterprise security protection. To understand the inevitability of database security threats and prevent unexpected events in the insecure state of the database, precautions must be taken to cover business systems from the network layer, application layer, and database layer. (Middleware) and operation and maintenance DBA, comprehensive control and planning in advance. Since database intrusion events are unavoidable, it is necessary to ensure complete and original database access records for auditing and collecting evidence, so as to be well-documented.
2. Standardize security management and correctly understand database security control
The goal of safety management is to prevent accidents, and accidents are accidents that do not happen frequently. The probability of these accidents is generally relatively small. Because these small probability events do not occur in most cases, management is often negligent. It is precisely the subjective cause of the accident. Murphy's Law warns us that the security control of databases and business data cannot be neglected. To ensure the security of the database, we must start from the basics. The basic security configuration of the database must form a unified security baseline. The access behavior of the database must be "whitelisted". Active preventive methods and measures must be taken to avoid accidents. The incident happened.
3. Change the concept, the database intrusion prevention becomes passive to active
Traditional safety management is a passive safety management. It is a "remedy" type of management by summing up lessons after taking safety measures or accidents in safety management activities. With the rapid development of IT network technology, security attack methods continue to change, new security threats continue to emerge, and the incentives for database security incidents increase. The traditional network-based intrusion prevention system model has been difficult to meet the current demand for database security defense. To this end, we must not only pay attention to existing security threats, but also actively identify new risks, actively learn, modal analysis, timely and accurately block risk activities, change passive to active, and firmly grasp the database intrusion prevention. Initiative.
3. Correctly understand the database intrusion prevention system
1. The dispute between series and parallel database intrusion prevention systems
The database intrusion prevention system can accurately identify and block the access behavior between the business system and the database through serial or bypass deployment. Not only that, rational use can also have the ability to proactively defend beforehand and audit and trace afterwards.
However, some users think that the blocking behavior of bypass is not effective, and they are connected to the network to achieve real-time blocking, and they are worried about affecting business access.
The serial mode is deployed between the business system and the database. All SQL statements are parsed through traffic protocol decoding, and security policies based on TCP/IP quintuples (address, port, and protocol), access control factors, and database operation behavior are reviewed. , Combined with the whitelist rules learned by independent dynamic modeling, can accurately identify malicious database instructions, block sessions in time or accurately intercept malicious operation statements. The biggest risk of serial mode deployment is that there can be no misjudgment, otherwise it will affect the passage of normal sentences. This must require the system's SQL sentence parsing ability to be accurate enough and a very complete behavior model can be established. When dangerous sentences are found, the conversation can be interrupted without interruption. In this case, the risk statement is accurately intercepted, and normal access requests are not affected. Therefore, if you want the database intrusion prevention system to exert the best effect, it must be connected in series at the front end of the database, which can be physically connected (transparent bridging) or logically connected (reverse proxy).
Bypass deployment mode, the current common method is to force session reset by sending a RESET command. This deployment method works best under low traffic conditions. For example, in the case of large concurrency in the business system, with more than 10,000 SQL transactions per second, this kind of bypass identification blocking may not be able to block, and there will be delays. It is possible that because of the delay, the blocking request is sent after the SQL statement is executed, which will affect the normal business request. Therefore, in a high-concurrency and large-traffic scenario, if you want to achieve real-time accurate blocking and interception effects, the database intrusion prevention system is required to have ultra-high-end processing performance.
As for serial deployment or bypass deployment, it is more appropriate to match the corresponding business system scenarios. The ultimate meaning of the database intrusion prevention system is its defensive effect, that is, its ability to accurately block risk statements. Through the comparative analysis of Murphy's law, the possibility of blocking requests in bypass deployment will inevitably occur. And there are concerns about the impact of business access, then it will always happen, and facing this risk, let us have higher requirements for the precise blocking ability of the database intrusion prevention system, and minimize this risk as much as possible.
2. The database intrusion prevention system is connected in series with the dispute between real-time synchronous blocking and asynchronous blocking
Compared with the serial-parallel dispute of database intrusion prevention systems, the serial implementation of synchronous blocking and asynchronous blocking is more subdivided. There are two types of serial database intrusion prevention systems on the market;
One type is the online monitoring and asynchronous blocking of the local proxy engine represented by IBM Guardium. When a dangerous statement is sent to the DBMS through the proxy, the proxy will send a copy of the content information to the analysis center, and the center will determine whether it violates the law or violates the intrusion prevention rules. Then issue a blocking instruction to the agent. Obviously, the advantage of this deployment is that the network environment with the database is not limited, and the IP is reachable, but the disadvantage is even more obvious, that is, during the communication between the Agent and the Center, SQL access is allowed. Yes, that is, if a fatal attack statement appears in the first few packages, then this attack will be effectively executed, that is, the defense system will be effectively bypassed.
The other type is the serial real-time synchronous blocking represented by the domestic manufacturer Palladium. When a dangerous sentence passes through the serial database intrusion prevention system, if the intrusion prevention system detects the risk sentence, it will be blocked immediately; the risk-free sentence is released. This model is immediately analyzed and judged immediately. Obviously, the advantage of this deployment mode is that small-probability events or long-planned direct attack statements will also be blocked in real time; and the disadvantage is also very obvious, that is, processing efficiency. If the processing efficiency of the database intrusion prevention system is not good, then There will be a state of waiting in line, which will affect the continuity of the business. The key is to grasp this balance point, at least to achieve insensitivity, the choice of this point depends on the algorithmic ability of each database security vendor to process SQL statements.
Four, concluding remarks
Murphy's law is not complicated. Applying it to the field of database intrusion prevention reveals a small probability risk event that cannot be ignored in database security. To face Murphy's law into a positive response, we should fully understand Murphy's law and resist "databases" Layers of protection are not risky", "others do this", "database intrusion prevention system is not blocked by mistake" and other misunderstandings. Keep in mind that as long as there are hidden risks, incidents are possible, and incidents will happen sooner or later. We should Eliminate habitual cognition and proactively respond to database security risks.