Sometimes it becomes necessary to use client-server software that implements the necessary functionality, but is extremely vulnerable to SQL injections. These are mainly websites, network applications and other services that are accessible to a wide range of users, including attackers. For various reasons, it is not always possible to prevent SQL injections at the application level — the source code may be closed, or, in the case of open source, there is not enough knowledge to make changes to it, or this operation is expensive.

In this case, GreenSQL, a firewall or proxy for SQL servers, will help to ensure the security of the application. The GreenSQL service is located between your application and the SQL server, accepts sql queries from the application and, depending on the degree of reliability, either redirects them to the target SQL server or rejects them.



GreenSQL supports Microsoft SQL 2000/2005/2008, MySQL 4.x / 5.x, PostgreSQL 7.x / 8.x and is cross-platform. Among the officially supported platforms are Microsoft Windows Server 2003/2008, Ubuntu, CentOS. 32-bit and 64-bit systems are supported.
')
As for the cost, there are several modifications of the program - free Express, Lite and Pro with a monthly payment. The main difference between paid versions and free ones, if you omit technical support and automatic updating, is the ability to modify requests on the fly and work with secure SSL connections.

Each version of GreenSQL supports several modes of operation.

Risk Based - IPS / IDS implements the basic algorithm for identifying potentially dangerous SQL queries. Those. GreenSQL performs semantic analysis of a query and, by indirect evidence, determines the degree of its reliability. The calculation of the degree of danger is based on the following parameters:

• operations that change the structure of tables
• requests to service tables and databases
• requests using file system access
• administrative requests, for example, SHOW TABLES, SHOW CREATE TABLE
• comparison operations that always return TRUE, for example, 1 = 1, field = field
• comments within the request
• use OR in the query
• operations on tables containing personal information, for example, users, accounts, payments
• Passing an empty password in the request, for example, password = '', pwd = '', passw = ''

Necessary blocked requests can be added to the list of allowed (whitelist).

Database Firewall is an active protection mode that only passes requests that are on the list of allowed (whitelist).

Learning Mode - a learning mode in which all requests (or rather, request templates) fall into the list of allowed (whitelist). Thus, in the training mode, you can drive your application into the tail and mane so that it collects the base of "clean" requests, and then turn on the "combat" mode with blocking all unknown requests (Database Firewall + Active protection).

Program settings

GreenSQL runs as a service (daemon). Settings are managed through a web interface located at 127.0.0.1 : 5000.


Username / default password admin / pwd

After logging in, you will be taken to the application statistics page. Go to System> License, and enter the license key, which you will find in the letter with the download link (you must register on the developer’s site to be able to download).



To get started, you need to create a proxy. In the free version you can create only one proxy. To create, go to Databases> Create proxy.

• Proxy name - proxy name for identification inside GreenSQL
• Database type - type of protected DBMS
• Username and Password - login and password for authorization in the DBMS. It is not obligatory, but their instructions help with further tuning to select database objects from the list, and not to enter them manually
• Frontend IP - on which IP the proxy will work (actual in case of several network connections on the machine). 0.0.0.0 means work on all network interfaces
• Frontend Port - on which port the proxy will work. This port must be used in your application to connect to the DBMS
• Backend server name - the name of the protected DBMS. It can be any, it is necessary for identification inside GreenSQL (I am writing localhost)
• Backend IP - IP address on which the protected DBMS is running (for example, 127.0.0.1)
• Backend port - the port on which the protected DBMS is running (usually, for MySQL - 3306, for MSSQL - 1433, for PostgreSQL - 5432)

After creating a proxy, it will be launched on the specified port. Now it is enough to set the rules for the work of the proxy (Policy) to start using GreenSQL in your application. In principle, already at this stage you can try to configure your application to work with GreenSQL, however, it will work in a “transparent” mode.

• Rule type - Rule type (Learning mode, Database firewall, Risk based). Depending on which type is selected, the fields to be filled out are changed.
• Database - the name of the protected database in the DBMS
• Proxy - proxy to which the rule applies
• IPS / IDS (Mode) - is common to all types of rules.
  
  • No IPS / IDS - do not use automatic recognition of attacks
  • Active protection - block potentially dangerous requests
  • Monitoring - log and do not block potentially dangerous requests

Now you can try to configure your application to use GreenSQL.

Performance

Performance test taken from the official site GreenSQL . The essence of the test is such that through Apache Bench several measurements were made of 400 calls and 10 competitive inquiries. The result of the tests is shown in the image.



GreenSQL comes with good usage documentation. Here I did not try to translate it, but rather, outlined the general purpose and settings of the basic functionality of the program. Previous versions of GreenSQL (up to 1.2, current 1.5) were distributed under the GPL license.

Official sites www.greensql.com , www.greensql.net