Today I have stumbled upon an interesting technique from the Cisco Blog and Cisco Support Forum which is about defending an SQL injection using IPS, ASA or IOS firewall.
I will concentrate on the ASA here to show you what you can do with this great device. Ofcourse what I will show works only for specific SQL attacks and is not an “ALL IN ONE” mechanism for preventing all SQL attacks.
You should have a web application firewall in addition to ASA in my opinion if you want to have a full blown SQL and Web Application protection.
So basically the ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific HTTP data patterns in order to detect the SQL injection attack.
It will basically check for the SQL command “UNION ALL SELECT”.
Below is the configuration as described on the Cisco support forum:
regex SQL_regex_1 “[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]”
regex SQL_regex_2 “[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)”
!
class-map WebServers
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
!
policy-map type inspect http drop-SQL
parameters
body-match-maximum 3000
class SQL-map
drop-connection log
policy-map SQL-traffic
class WebServers
inspect http drop-SQL
!
service-policy SQL-traffic interface outside
We assume that our webserver is protected on a DMZ zone on the ASA. Traffic is coming from the outside so the service policy (SQL-traffic) is applied on the outside.
Upon a regular expression match, the ASA will drop the HTTP connection and generate a log. The above is just a starting point for SQL attack protection and can not defend against all attacks.
For example if the SQL statement is Hex encoded or url encoded by the attacker, the regex will not detect it. Here is the link from Cisco forum for more information:
https://supportforums.cisco.com/docs/DOC-14890
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)