Home

What is GreenSQL ?

GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license. You can download it here.

GreenSQL Architecture

GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they're safe, will forward them to the back-end MySQL server.

The following picture describes the whole process.
GreenSQL ArchitectureGreenSQL Architecture
As you can see, GreenSQL calls the real database server to execute SQL commands and the web application connects to the GreenSQL server as if it were a real database server.

GreenSQL can be installed together with the database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (the default MySQL setting). These settings can be altered using the GreenSQL Console.

Supported modes

The GreenSQL db firewall can be used in a number of ways:

  • Simulation Mode (database IDS)
  • Blocking Suspicious Commands (database IPS)
  • Learning mode
  • Active protection from unknown queries (db firewall)

During Simulation Mode basically nothing is blocked. In this case, GreenSQL works as a database IDS system (IDS stands for Intrusion Detection System). During this mode, our risk scoring matrix engine identifies suspicious queries and notifies the database administrator using the GreenSQL Management Console.

When the system is configured to Block Suspicious Commands, GreenSQL uses its heuristics engine to find "illegal" queries and block them automatically. In this mode, GreenSQL is basically a database IPS system (IPS is Intrusion Prevention System). If a query is considered illegal, a whitelist is checked. If it is found in the whitelist, it will be redirected to the genuine MySQL server. If it is found to be "illegal", GreenSQL will return an empty result set to THE application. During this mode, GreenSQL can sometimes generate false positive and false negative errors. As a result, some legal queries may be blocked or the GreenSQL system may pass through an "illegal" query undetected. These are the pros and cons of IPS systems. GreenSQL is constantly improving its heuristics engine but it is still not perfect.

In order to address the disadvantages of the above methods we recommend enabling Learning Mode and then, after the learning period is over, switching to the Active protection from unknown queries. During the learning mode, all queries are automatically added to the whitelist. When the learning mode is over, GreenSQL automatically enables active protection. When Active protection from unknown queries mode is enabled, all unknown commands are blocked. This is database firewall mode. When an unknown SQL command is detected, it is automatically blocked. In addition, GreenSQL calculates its risk using its heuristic methods and displays the result using the GreenSQL Management Console. This is the fastest mode because GreenSQL only calculates risk for new queries which does not happen that often.

How does GreenSQL find "illegal" queries?

GreenSQL finds suspicious queries using a number of methods:

  • By identifying administrative and sensitive SQL commands
  • By calculating a query's risk

Identifying administrative and sensitive SQL commands

GreenSQL uses a pattern matching engine to find commands that are considered "illegal". In essence, this is a signature-based subsystem. For example, the following commands are considered "illegal": database administrative commands; commands that try to change a db structure; and commands used to access system files. The Administrator can approve an "illegal" query by adding it to the whitelist or by altering the configuration file with a list of "illegal" patterns.

Calculating a query's risk

GreenSQL calculates each query's risk. Essentially, this is an anomaly detection subsystem. After the risk is calculated, GreenSQL can block the query or just create a warning message (this depends on the application mode). There are a number of heuristics GreenSQL uses when calculating risk. For example, query risk is increased by:

  • Access to sensitive tables (users, accounts, credit information)
  • Comments inside SQL commands
  • An empty password string
  • An ‘or’ token inside a query
  • An SQL expression that always returns true (SQL tautology)

In order to find anomalies, GreenSQL uses its own SQL language lexer to find SQL tokens.

How are commands blocked?

When GreenSQL determines that a query should be blocked, it will generate an empty result-set and send it back to the application, so it can continue gracefully.

How does the Whitelist work?

Each time GreenSQL considers an SQL query to be a security risk, it is blocked. You can alter this behavior for a specific query by explicitly adding it to the whitelist.
New: During Learning Mode all new queries are automatically added to the whitelist.

Download Now

Just use this link. Remember it is FREE, Open Source software :)

Back to top