Can Firewalls Protect Against SQL Injection? Beware the Hardware Firewall Sales Guy Scam

A lot of "hardware" firewall sales guys like to make it a point that their product protects against SQL injection attacks. But like many sales guys, you may be hearing a half truth, if that much. Jim Harrison recently commented on this unfortunate state of affairs:

"Your customer (like so many others) needs to understand that while ISA and IAG can help mitigate specific SQL attacks, any product rep touting "protection from SQL injection" as an absolute fact is a liar; pure and simple.

SQL injection as an attack class is very nearly infinite in presentation.  The proper answer is to follow web-app SQL usage best practices so as to prevent them where the attacks are mounted; within the application code itself.  Of course, the standard customer response is "I need something to protect me while we fix these things", which inevitably turns out to be never, because they are now "protected".

ISA can carry specific attack filters in the HTTP filter settings for each HTTP-related rule (if the web proxy filter is bound to the protocol), and IAG can apply regular expression matching (quite a lot stronger), but both of these require specific knowledge of the SQL attack method and the web application logic that allows the attack."

So, as always, caveat emptor -- do your research before paying for overpriced and underperforming "hardware" solutions.



Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting

PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)

Deb Shinder

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Published by
Deb Shinder

Recent Posts

Ansible Automation Engine: Complete getting started guide

In this second article in our series, we will work on the Ansible Automation Engine…

3 hours ago

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

6 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

9 hours ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

1 day ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

1 day ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

1 day ago