Preventing SQL Injection Attacks with Cisco ASA Firewall
Today I have stumbled upon an interesting technique from the Cisco Blog and Cisco Support Forum which is about defending an SQL injection using IPS, ASA or IOS firewall. I will concentrate on the ASA here to show you what you can do with this great device. Ofcourse what I will show works only for specific SQL attacks and is not an “ALL IN ONE” mechanism for preventing all SQL attacks. You should have a web application firewall in addition to ASA in my opinion if you want to have a full blown SQL and Web Application protection.
So basically the ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific HTTP data patterns in order to detect the SQL injection attack. It will basically check for the SQL command “UNION ALL SELECT”.
Below is the configuration as described on the Cisco support forum:
regex SQL_regex_1 “[uU][nN][iI][oO][nN]([%]2[0bB]|[+])([aA][lL][lL]([%]2[0bB]|[+]))?[sS][eE][lL][eE][cC][tT]“
regex SQL_regex_2 “[Ss][Ee][Ll][Ee][Cc][Tt](%2[0bB]|+)[^\r\x00-\x19\x7f-\xff]+(%2[0bB]|+)[Ff][Rr][Oo][Mm](%2[0bB]|+)”
match port tcp eq www
class-map type inspect http match-any SQL-map
match request body regex SQL_regex_1
match request body regex SQL_regex_2
policy-map type inspect http drop-SQL
inspect http drop-SQL
service-policy SQL-traffic interface outside
We assume that our webserver is protected on a DMZ zone on the ASA. Traffic is coming from the outside so the service policy (SQL-traffic) is applied on the outside. Upon a regular expression match, the ASA will drop the HTTP connection and generate a log. The above is a just a starting point for SQL attack protection and can not defend against all attacks. For example if the SQL statement is Hex encoded or url encoded by the attacker, the regex will not detect it. Here is the link from Cisco forum for more information:
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!