Cisco Blogs

Defending Against SQL Injection Attacks Using Cisco ASA, IPS, and IOS Firewall – Cisco TAC Security Podcast

April 15, 2011 - 0 Comments

An American with the aid of two Russian conspirators stole 130 million credit card numbers in 2007. In 2009, 32 million usernames and passwords were obtained from a social network game developer. More recently, Lizamoon gained quite a bit of media attention. The same technique that made these attacks successful has even been attempted by printing messages on a car bumper driving down a highway. These attacks all employed a technique called SQL injection. By sending carefully crafted SQL commands into a HTTP web form (or some other database interface), the attacker is hoping that the HTTP form parser isn’t watching for raw SQL commands in the input. The intended effect is that the database will either send back more information than the administrator intended, or drop tables with data altogether.

Recently the Cisco TAC Security Podcast team set up a proof-of-concept website with a SQL database backend, and verified that a SQL injection attack could be launched against their test site. Then the team went about configuring the Advanced Security Appliance (ASA), Intrusion Prevention System (IPS) and Zone-based Firewall on the IOS router platforms to mitigate the attack. The Cisco security devices tested employ signature matching with regular expressions to identify the malicious traffic and drop it before it can do real damage.

This episode, and the accompanying show notes, features discussion around the technical details of a SQL injection attack, along with how the proof of concept was created, and specifics regarding the configuration of each Cisco security device they used to mitigate the attack. Configuration best practices and information regarding device performance impact and regular expressions are also discussed. Below is a graphical breakdown showing the regular expression used by one of the Cisco IPS Signatures that detect SQL injection attacks.

A breakdown of the regular expression used in Cisco IPS Signature "SQL Query in HTTP Request - Signature ID=5474"

You can listen to the 32-minute podcast and view the show notes for the episode here:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.