IPS vs Actual Security Rights

  • Hello everyone. Just looking for some input on IPS's (Intrusion Prevention Systems) and more specifically, argument's against it.

    Here is the story. We have crap security. When our software was built, it will come a no shock, but security was a thought so far removed from any discussion that scientists are still looking for the galaxy. Fast forward 10 years later to a growing company that I now work at. We now host over 200 databases with websites open to the public.

    Now here is where my question above arises. We give all of the login's to the database SYSADMIN rights. We have webpages that are hardcoded to use the 'SA' login and password. Rather that setup actual security and spend the money to do this, management believes that and IPS will kill the majority of the problems. Those that it doesn't solve would find a way around the security permissions setup anyway, so why bother spending the money.

    I am interested in thoughts, arguments, etc that will help me to show/persuade management to do both.

    Thanks,

    Fraggle

  • I don't have any experience with the IPS systems available. Although they probably do a great job of stopping network activity that you can define as bad. I don't think it is possible to block all the risky packets without making the database unavailable to users as well.

    Security is not really about blocking access to things. Its about enabling users that need data to get it efficiently and have it be correct when they get it.

    Picture your database as being in a room with doors on all sides open to the public and a couple of "processors" handing blocks of data to users as they come in the doors and ask for it. If every request is coming in the same door and exiting the opposite, data flows efficiently and users are quickly on their way to making business decisions. However, if users are coming in all the doors at the same time there is no flow of activity in and out of the database and things quickly become busy as the "processors" spin around like tops trying to satisfy all the requests hitting them from different directions. Restricting users to a specific path through the database allows the system to handle a much higher bandwidth of work.

    There is no quick bandaid to solve your scenario. The applications should not be built with the kind of access that you describe. The risks are way too high. Refactoring is probably the only way out of the mess for existing apps. Try implementing better security on new development work. Many of the shops I have worked in, give the development teams elevated permissions (dbo, db_owner, SysAdmin) in the "DEV" environment. The argument being that they are moving fast and don't want to wait for DBA help when they need to make a change to objects or the environment. They also don't take the time to consult a DBA about how to implement security correctly so they just start coding away with the permissions that they have in the development database. Then when it comes time to deploy to production they cannot answer the DBA's question of "What does the app need access to?". Instead they lobby for just giving the application account sysadmin or other elevated permissions because that is the only way the developer knows to make it work.

    Depending on the kind of data in your databases there may regulations like HPPA or Sarbanes-Oxley that could require a much more thorough approach than just slapping a IPS on the network.

    Good Luck!

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply