Database access security
First Claim
Patent Images
1. A security filter device including a server configured for monitoring an external network connection for database commands to protect database objects from unwanted access comprising:
- a data packet inspection unit resident on a node other than a database manager receiving the database commands, and coupled to the network connection for inspecting passing data packets to find and carry out an analysis of database operation text within said packet, the data packet inspection unit configured in association with a firewall between an external network and an internal LAN containing the database objects for guarding a respective database, the data packet inspection unit comprising;
a packet analysis unit to look for structure associated with database operation text; and
a parsing unit, associated with said packet analysis unit to parse said database operation text into underlying statements comprising at least database operation commands and database objects; and
an enforcement unit, associated with said data packet inspection unit for applying enforcement rules to said data packet, based at least partly on said analysis, the enforcement unit operable to protect respective database objects, the data packet inspection unit configured to first identify database communication packets from other types of packets, and then to pass database destined access attempts to the enforcement unit for application of the enforcement rules based on the database operation commands and database objects.
5 Assignments
0 Petitions
Accused Products
Abstract
Apparatus for protection of database objects from unwanted access, particularly from external connections via a firewall (20). The apparatus comprises a data packet parsing unit (54) for parsing a data packet to find database operation commands in the packet, and an enforcement unit (56) for applying enforcement rules to the data packet, thereby to protect respective database objects. The apparatus may form an additional layer (50, 52) of protection in conjunction with a firewall (20) to protect internal data.
196 Citations
30 Claims
-
1. A security filter device including a server configured for monitoring an external network connection for database commands to protect database objects from unwanted access comprising:
-
a data packet inspection unit resident on a node other than a database manager receiving the database commands, and coupled to the network connection for inspecting passing data packets to find and carry out an analysis of database operation text within said packet, the data packet inspection unit configured in association with a firewall between an external network and an internal LAN containing the database objects for guarding a respective database, the data packet inspection unit comprising; a packet analysis unit to look for structure associated with database operation text; and a parsing unit, associated with said packet analysis unit to parse said database operation text into underlying statements comprising at least database operation commands and database objects; and an enforcement unit, associated with said data packet inspection unit for applying enforcement rules to said data packet, based at least partly on said analysis, the enforcement unit operable to protect respective database objects, the data packet inspection unit configured to first identify database communication packets from other types of packets, and then to pass database destined access attempts to the enforcement unit for application of the enforcement rules based on the database operation commands and database objects. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. In a server configured for monitoring an external network connection for database commands, a method for protection of database objects from unwanted access comprising:
-
parsing, on a node other than a database manager receiving the database commands, a data packet to find database operation commands in said packet; finding information regarding sources of respective data packets and regarding data objects of respective commands, said finding information regarding sources of respective data packets being carried out per user connection, the method further comprising associating said sources with data packets of said user connection, associating further comprising; analyzing the data packets to look for structure associated with database operation text; and parsing said database operation text into underlying statements comprising at least database operation commands and database objects; and applying enforcement rules to said data packet, the enforcement rules specifying conditions based at least partially on the found information and on said database operation commands for protecting the respective database objects, the applied enforcement per user connection providing selective database access based on the user, database object and database operation independently of firewall enforcement actions, enforcement further comprising; first identifying database communication packets from other types of packets, and passing database destined access attempts for application of the enforcement rules based on the database operation commands and database objects. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification