The Imperva SecureSphere Web application firewall features advanced protection against SQL injection attacks and incorporates a multi-layer security model that enables precise attack protection from SQL injection without the need for manual tuning. SecureSphere's security architecture incorporates both dynamic positive (white list) and dynamic negative (black list) security models. Robust enforcement algorithms draw on both security models to identify and block even the most sophisticated attacks. In addition, customers can easily upgrade from the SecureSphere Web application firewall to the SecureSphere Database Security Gateway, which adds advanced protection against direct database SQL injection and other attacks targeted at the database.
Multi-Layered Approach for Protection against SQL Injection
SecureSphere utilizes a multi-tiered approach for detecting of SQL injection, HTTP protocol validation, IPS based signatures, Dynamic Profiling, and Correlated Attack Validation. Imperva has developed specific protection against SQL injection through a dedicated SQL Injection alert that is part of the SecureSphere security engine. By combining behavioral indications (character type / length violation, special characters, etc.) with anti-evasion mechanisms, simple pattern matching and fully fledged regular expressions, SecureSphere is able to accurately defend application data against a wide range of SQL injection threats.
» HTTP Protocol Validation prevents protocol exploits including buffer overflow, malicious encoding, HTTP smuggling, and illegal server operations. Flexible policies enable strict adherence to RFC standards while allowing minor variations for specific applications. SecureSphere integrates Dynamic Profiling, IPS, and Correlated Attack Validation technologies to identify SQL injection with unmatched accuracy.
» Dynamic Profiling delivers query-level access control by automatically creating profiles of each user and application’s normal query patterns. Any query (such as a SQL injection attack query) that does not matchpreviously established user or application patterns are immediately identified.
SecureSphere’s Dynamic Profiling technology examines live traffic to automatically create a comprehensive model or “profile” of the site. Specific elements of the profile include dynamic URLs, HTTP methods, cookies, parameter names, parameter lengths, and parameter types. The profile then serves as a positive security model for the Web application. By continuously comparing user interactions to the profile, SecureSphere can detect any unusual Web activity. As the Web site changes over time, advanced learning algorithms automatically update the profiles to eliminate any need for manual tuning. The SecureSphere positive-security model identifies the parameter as a required parameter consisting of Numeric characters with a minimum and maximum length of sixteen characters. The insertion of more or less than sixteen characters into the parameter conflicts with the profile and a SecureSphere Parameter Length Violation Alert is triggered. There are a number of SQL injection vulnerabilities that are well known, such as SQL query string patterns related to the basic “OR 1=1” evasion technique described earlier. These types of known threats can be mitigated through signature pattern matching. Recognizing this, Imperva has incorporated IPS as part of its advanced security engine to mitigate common vulnerabilities.
» SecureSphere IPS includes unique database signature dictionaries designed specifically to identify vulnerable stored procedures and SQL injection strings, preventing database platform attacks. SecureSphere also has a database of SQL injection based signatures used for recognition of known SQL injection patterns found in user input to Web applications quick and easy protection from known SQL injection attack, as well as protection from known network, operating system, and Web server software attacks. SecureSphere goes beyond a standalone IPS product because it learns and understands application behavior (Dynamic Profiling) to accurately prevent malicious users from abusing legitimate applications and combines this with Correlated Attack Validation, resulting in a lower rate of false positives.
» Correlated Attack Validation correlates security violations originating from multiple SecureSphere detection layers. By correlating multiple violations from the same user, SecureSphere is able to detect SQL injection with a degree of accuracy that is not possible using any single detection layer.