Can Firewalls Protect Against SQL Injection? Beware the Hardware Firewall Sales Guy Scam

A lot of "hardware" firewall sales guys like to make it a point that their product protects against SQL injection attacks. But like many sales guys, you may be hearing a half truth, if that much. Jim Harrison recently commented on this unfortunate state of affairs:

"Your customer (like so many others) needs to understand that while ISA and IAG can help mitigate specific SQL attacks, any product rep touting "protection from SQL injection" as an absolute fact is a liar; pure and simple.

SQL injection as an attack class is very nearly infinite in presentation.  The proper answer is to follow web-app SQL usage best practices so as to prevent them where the attacks are mounted; within the application code itself.  Of course, the standard customer response is "I need something to protect me while we fix these things", which inevitably turns out to be never, because they are now "protected".

ISA can carry specific attack filters in the HTTP filter settings for each HTTP-related rule (if the web proxy filter is bound to the protocol), and IAG can apply regular expression matching (quite a lot stronger), but both of these require specific knowledge of the SQL attack method and the web application logic that allows the attack."

So, as always, caveat emptor -- do your research before paying for overpriced and underperforming "hardware" solutions.

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Share
Published by
Deb Shinder

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

1 hour ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

6 hours ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

9 hours ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

1 day ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

1 day ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

1 day ago