A lot of "hardware" firewall sales guys like to make it a point that their product protects against SQL injection attacks. But like many sales guys, you may be hearing a half truth, if that much. Jim Harrison recently commented on this unfortunate state of affairs:
"Your customer (like so many others) needs to understand that while ISA and IAG can help mitigate specific SQL attacks, any product rep touting "protection from SQL injection" as an absolute fact is a liar; pure and simple.
SQL injection as an attack class is very nearly infinite in presentation. The proper answer is to follow web-app SQL usage best practices so as to prevent them where the attacks are mounted; within the application code itself. Of course, the standard customer response is "I need something to protect me while we fix these things", which inevitably turns out to be never, because they are now "protected".
ISA can carry specific attack filters in the HTTP filter settings for each HTTP-related rule (if the web proxy filter is bound to the protocol), and IAG can apply regular expression matching (quite a lot stronger), but both of these require specific knowledge of the SQL attack method and the web application logic that allows the attack."
So, as always, caveat emptor -- do your research before paying for overpriced and underperforming "hardware" solutions.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)
In this second article in our series, we will work on the Ansible Automation Engine…
Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…
Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…
COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…