GreenSQL Application Firewall for SQL databases (MySQL)

By | November 25, 2011

Having already had to do with SQL injection, it is something very disturbing … GreenSQL is a free GPL licensed solution to protect your MySQL databases from attacks such as “SQL Injection”, “Cross-Site Scripting” and “Cross-Site Request Forgeries.”

GreenSQL works as a proxy for SQL queries on MySQL databases. Note: that it is expected to operate also on the PostgreSQL database using the roadmap. You can also find the post that talks with the title: GreenSQL for PostgreSQL

The operation is based on an evaluation of SQL commands using a risk scoring matrix (It reminds me that spamassassin) and the blocking of administrative commands (DROP, CREATE, etc.).

GreenSQL operates in reverse-proxy, ie, the SQL query will be forwarded to GreenSQL will analyze it and then pass it on to MySQL so it is accepted.

GreenSQL listening on port 3305 and redirect requests to port 3306, port standard of MySQL

GreenSQL can operate in different modes:

* Simulation (IDS database) – only detect but not blocking anything
* Protection (database IPS) – Detect and block queries
* Learning Mode
* Protection against non listed queries

In the simulation mode, GreenSQL log in to SQL queries and sends a notification via the administration console to analyze suspicious requests by checking the risk scoring matrix to inform administrators.

In Protection mode, if a request is considered illegal following questioning of its algorithmic engine, a white list is consulted. If it appears in the white list, then it is sent to the MySQL engine. But if the request is deemed unlawful, GreenSQL returns a null response set to the application on the Web server. Of course with this method, it is possible to have false-positive and false negative errors …

The learning mode is precisely to correct this problem by learning the types of possible queries, it will then switch back to protect against those queries who are not in SQL query list.

When the mode of protection against non listed queries is enabled, applications or queries that were not included in the white list are automatically rejected.

GreenSQL will then calculate the risk posed by this application and assemble the information to the management console. This is the fastest mode because it only calculate the risk for new requests.

That is basically the operation of GreenSQL, which I think really be a very interesting solution, although the best is still to predict risks in development, but regarding the performance of the web application, it does not appear as it impacted on a performance test performed with the use of GreenSQL.

Note: GreenSQL packages are provided for the most common Linux distributions (CentOS, Debian, Fedora, Mandriva, RHEL 5, 5 SLE, Opensuse, Ubuntu)