Re: Modifying SQL query for security?? What is your opinion?

Sandor Laza wrote:
>
> Hi guys,
>
> I need some advice:
>
> I company prepared a security study for us in which they
> advised not to use trusted RDBMS systems (like trusted Oracle
> or Trusted Ingres), but develop an application which capture all the
> SQL querys sent to the server modify them according several security
> rules (for example extend the where clouse somehow) and pass the
> modified query to the RDBMS engine.
>
> Have you ever seen or heard about this kind of solution implemented?
> What do you think, it is feasible?
>
> My personal opinion is, that it can be implemented, but the
> implementation means at least the reimplementation of the SQL
> interpreter of the given RDBMS. Or not?
>
> Any kind of help would be highly appreciated,
>
> P.S. If you know a company which is able to prepare
> a feasibility study on this topic, please contact me!
>
> Sandor Laza
> Security officer
>
> OPCW
> Tel: 31-70 3761700
> Fax: 31-70 3600944
> E-Mail: sandor.laza_at_opcw.nl or slaza_at_worldonline.nl

Sandor,

It is definately feasable but as you expected it comes with a big hit in performance. In this case the entire application of the security matrix is done at execution time (including parsing).

This is not the only solution. It is possible to push much of the application of the matrix to administration time. Of course, if there are dynamic elements of your security matrix you will have to have some hit at run time but it can be minimized.

We have experienced this problem many times in the past and wrote a solution that uses our own security administration tools to manage a series of triggers, procedures, views and roles that implement a complex security schema (including value based row and column level) that pushes much of the effort to administration time.

Check out http://www.tier3.com/dbFortify

Todd Verstraten
mailto:tverstrat_at_tier3.com
http://www.tier3.com Received on Sun Dec 01 1996 - 00:00:00 CET