SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

The Tethered Goat

By Phil Factor,

A few years ago, I developed a SQL Server database application that supported a web application. It was a huge database and quite a popular application that sadly no longer exists, because it didn't get the long-term funding. The reason I remember it so well now was that we built a good intrusion detection system to support it. We were able to detect every attempt at intrusion and examine the forensics in detail.

We were intrigued by the sort of attacks that could occur and, out of curiosity, created a 'tethered goat' database application to understand the predators out there (a tethered goat was once used as a lure to attract predators to where the hunter lay concealed).

This 'tethered goat' database, also known as a Honeypot, was deliberately left entirely detached from our intranet, with several vulnerabilities. We had a lot of fun with SQL Data Generator to create a database that was apparently full of personal information. We made it very plausible: I've since published some of the techniques we used. We introduced a great deal of logging and monitoring to examine what intruders did.

It brought home to us forcefully that it was a big bad world out there on the internet. There are a lot of systems out there probing for all sorts of potential vulnerabilities on public-facing servers, and it paid dividends to detect any attempt that penetrated the first line of defence. Even experienced developers can forget to nail down every potential vulnerability.

The 'tethered Goat' database was fascinating because we could follow intrusions through to table access. There is some clever but wasted talent out there. For us, it was a useful education to observe a range of attacks.

We adapted our nascent database application based on what we observed, and ended up with something so watertight that we could leave it running unattended for several years subsequently, without a hiccough. It is to my shame that before the production release, one clever attacker got through the second line of security but no further. He would have done had we not had an intrusion detection system that alerted us. Oops.

In the ten years since, I've been amazed that no company seems to have developed a database intrusion detection system that comes anywhere near the one that we devised to ensure the security of our system. If you're a data person and you haven't observed attempts to penetrate a database, it is well worth getting an opportunity to do so. It will give you a new and even greater respect for database and application security. It gave me an abiding interest in the topic.

Phil Factor

 
Total article views: 53 | Views in the last 30 days: 2
 
Related Articles
FORUM

Intrusion Detection Systems

Are Intrusion Detection Systems services worth it?

FORUM

Torn_page_detection Vs Checksum (SQL Server 2005 database upgrade)

Torn_page_detection Vs Checksum (SQL Server 2005 database upgrade)

FORUM

Database Design for Blog application

Database Design for Blog application

FORUM

Are there any tools to detect corrupt TRN files ?

Is anyone familiar with any tools that can detect corrupt TRN files before they are applied to a sta...

BLOG

Detecting SQL Server 2005 Properly

There is a new post in the SQL Server Express blog which indicates the right way to detect SQL Serv...

Tags
 
Contribute