Axel's root Blog

for nerds only - little stories from the everyday sysadmin life with problems and their hard-to-find solutions

GreenSQL database firewall production report

2010-07-05 by Axel Reinhold, tagged as performance, security
Since 24.06.2010 i use GreenSQL database firewall in production on my root server. Here are some experiences and a performance report.

GreenSQL is a database firewall which acts as a proxy between application and database to prevent SQL-injection - the most dangerous web attack today. It does this by a set of rules which can be set up like a firewall.

Using GreenSQL in front of Standard-CMS systems like TYPO3/Joomla/SilverStripe and the like was really easy - the proxy installed without problems on my CentOS-5.5 root server. After setting the default Blocking Mode to "IDS (no blocking)" i made a test connection to "mysql -h127.0.0.1 -P3305" without problems.

Setting the CMS's database connection string to 127.0.0.1:3305 is the only thing to change to make the systems using the firewall. The first alerts came up and i had to "Allow" "Disclose table stucture" because most of these systems dynamically query the database structure.

When there are no more alerts for a couple of days i changed the Mode to "IPS" to have a much more secure system than before without almost any effort.

With individual Webapplications like Rails i first used "Learning Mode" and let the users handle every single transaction within the application. After that switched to "Firewall"-Mode having a much better feeling about the security of the system. Only known queries will be executed and flaws in the application can no more exploit valuable data. At least with a higher security level.

I was afraid about the performance penalty of the proxy, but after a week of production, while i was measuring load times without cache and full database access, i cannot see any performace degration at all. The proxy was active since Thursday in this chart.

Performance Chart
The green line is the milliseconds load time of the page. The peaks are always at night while the backup window.