In a blog post earlier this week (http://blogs.isaserver.org/shinder/2008/10/08/can-firewalls-protect-against-sql-injection-beware-the-hardware-firewall-sales-guy-scam/), I mentioned that the real fix for SQL injection attacks is to fix the code, not to put a Band-Aid in front of the broken application and hope you get lucky. As Jim Harrison mentioned, firewall vendors who claim to block SQL injection attacks are likely feeding you something you shouldn’t be eating 🙂
However, Yuri Diogenes points out that there might be some things we can do to provide a best effort, due diligence solution to protect against broken applications that are susceptible to SQL injection.
Check out Yuri’s blog post at http://blogs.technet.com/edgeaccessblog/archive/2008/09/19/how-iag-2007-can-mitigate-sql-injection-attacks-demo-scenario.aspx for details on how you can use the IAG 2007 to help protect against SQL injection attacks.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
MVP — Forefront Edge Security (ISA/TMG/IAG)