A lot of “hardware” firewall sales guys like to make it a point that their product protects against SQL injection attacks. But like many sales guys, you may be hearing a half truth, if that much. Jim Harrison recently commented on this unfortunate state of affairs:
“Your customer (like so many others) needs to understand that while ISA and IAG can help mitigate specific SQL attacks, any product rep touting “protection from SQL injection” as an absolute fact is a liar; pure and simple.
SQL injection as an attack class is very nearly infinite in presentation. The proper answer is to follow web-app SQL usage best practices so as to prevent them where the attacks are mounted; within the application code itself. Of course, the standard customer response is “I need something to protect me while we fix these things”, which inevitably turns out to be never, because they are now “protected”.
ISA can carry specific attack filters in the HTTP filter settings for each HTTP-related rule (if the web proxy filter is bound to the protocol), and IAG can apply regular expression matching (quite a lot stronger), but both of these require specific knowledge of the SQL attack method and the web application logic that allows the attack.”
So, as always, caveat emptor — do your research before paying for overpriced and underperforming “hardware” solutions.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)