Reverse proxy database system and method
First Claim
Patent Images
1. A method for providing security for a plurality of databases, the method comprising:
- providing a plurality of servers;
providing said plurality of databases running on a first portion of said plurality of servers;
providing a plurality of database accessing applications running on a second portion of said plurality of servers;
providing a first network and a second network;
providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;
wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;
wherein said reverse database proxy comprises a front end parser and a back end parser;
providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate;
providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate;
sending a database query from said one of said plurality of accessing applications to said reverse database proxy over said first secure channel;
parsing by said front end parser of said database query from said one of said plurality of accessing applications into a general format understandable by said reverse database proxy;
analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of said receiving database from one of said plurality of databases for receiving said database query;
when said database query is acceptable, passing said database query to said back end parser for parsing into a format according to the requirements of said receiving database;
passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy;
receiving a database response by said reverse database proxy from said receiving database over said second secure channel;
parsing said response from said receiving database by said back end parser into a general format understandable by said reverse database proxy;
analyzing said response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy;
when said database response is acceptable, then passing said database response to said front end parser for parsing into a format according to the requirements of said one of said plurality of accessing applications; and
transferring said database response to said one of said plurality of accessing application over said first secure channel by said reverse database proxy;
wherein said analyzing said database response by said reverse database proxy comprises determining whether sensitive information is included in said database response; and
when included, removing said sensitive information before said database response is transferred to said accessing application.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing a comprehensive security solution for databases through a reverse proxy, optionally featuring translating database queries across a plurality of different database platforms.
13 Citations
21 Claims
-
1. A method for providing security for a plurality of databases, the method comprising:
-
providing a plurality of servers; providing said plurality of databases running on a first portion of said plurality of servers; providing a plurality of database accessing applications running on a second portion of said plurality of servers; providing a first network and a second network; providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;
wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;
wherein said reverse database proxy comprises a front end parser and a back end parser;providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate; providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate; sending a database query from said one of said plurality of accessing applications to said reverse database proxy over said first secure channel; parsing by said front end parser of said database query from said one of said plurality of accessing applications into a general format understandable by said reverse database proxy; analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of said receiving database from one of said plurality of databases for receiving said database query; when said database query is acceptable, passing said database query to said back end parser for parsing into a format according to the requirements of said receiving database; passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy; receiving a database response by said reverse database proxy from said receiving database over said second secure channel; parsing said response from said receiving database by said back end parser into a general format understandable by said reverse database proxy; analyzing said response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy; when said database response is acceptable, then passing said database response to said front end parser for parsing into a format according to the requirements of said one of said plurality of accessing applications; and transferring said database response to said one of said plurality of accessing application over said first secure channel by said reverse database proxy; wherein said analyzing said database response by said reverse database proxy comprises determining whether sensitive information is included in said database response; and
when included, removing said sensitive information before said database response is transferred to said accessing application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for providing security for a plurality of databases, the method comprising:
-
providing a plurality of servers; providing said plurality of databases running on a first portion of said plurality of servers; providing a plurality of database accessing applications running on a second portion of said plurality of servers; providing a network; providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network; providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;
said certificate transferred from said accessing application to said database through said reverse proxy;sending a database query from said accessing application to said reverse database proxy over said secured channel; analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy and to determine an address of a database for receiving said database query; when said database query is acceptable, passing said database query to said address of said database over said secured channel by said reverse database proxy; receiving a database response by said reverse database proxy from said database; analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy; and when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy; wherein said analyzing said database query by said reverse database proxy to determine whether said database query is acceptable further comprises determining whether said database query requires translation and, when required, translating said database query before transmission to said database, and wherein said analyzing said database response by said reverse database proxy comprises determining whether said database response requires translation and, when required, translating said database response before transmitting to said accessing application. - View Dependent Claims (9, 10, 11)
-
-
12. A method for providing security for a plurality of databases, the method comprising:
-
providing a plurality of servers; providing said plurality of databases running on a first portion of said plurality of servers; providing a plurality of database accessing applications running on a second portion of said plurality of servers; providing a network; providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network, wherein said reverse database proxy further compromises a caching module; providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;said certificate transferred from said accessing application to said database through said reverse proxy; sending a database query from said accessing application to said reverse database proxy over said secure channel; analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy and to determine an address of a database for receiving said database query; when said database query is acceptable, passing said database query over said secure channel to said address of said database by said reverse database proxy; receiving a database response by said reverse database proxy from said database; analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy; when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy; and caching said database query and said database response in said caching module to form a database query database response pair. - View Dependent Claims (13, 14)
-
-
15. A method for providing security for a plurality of databases, the method comprising:
-
providing a plurality of servers; providing said plurality of databases running on a first portion of said plurality of servers; providing a plurality of database accessing applications running on a second portion of said plurality of servers; providing a network; providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between the accessing applications and the databases over said network, wherein said reverse database proxy further compromises a plurality of front ends each identified by one of a port or IP address and wherein each of said plurality of front ends corresponds to one of said plurality of databases; providing a secure channel over said network between each of said accessing applications and said reverse database proxy and between said reverse database proxy and each of said databases;
wherein said secure channel comprises at least one certificate issued for communication between each of said accessing applications and each of said databases;said certificate transferred from said accessing application to said database through said reverse proxy; sending a database query from said accessing application to said reverse database proxy over said secure channel; analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one policy; when said database query is acceptable, passing said database query to said one of said plurality of databases over said secure channel based on said one of port or IP address of said front end by said reverse database proxy through a secure channel comprising a certificate; receiving a database response by said reverse database proxy from said one of said plurality of databases; analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one policy; and when said database response is acceptable, then transferring said database response to said accessing application over said secure channel by said reverse database proxy.
-
-
16. A method for providing security for a plurality of databases, the method comprising:
-
providing a plurality of servers; providing said plurality of databases running on a first portion of said plurality of servers; providing a plurality of database accessing applications running on a second portion of said plurality of servers, wherein said database accessing applications are adapted for communication with a database; providing a first network and a second network; providing a reverse database proxy running on a third portion of said plurality of servers for handling database queries between said plurality of accessing applications and said plurality of database;
wherein said plurality of accessing applications communicates with said reverse database proxy over said first network and wherein said reverse database proxy communicates with said plurality of databases over said second network;providing a first secure channel over said first network, wherein said first secure channel comprises a first certificate, and wherein said reverse database proxy issues said first certificate to one of said plurality of accessing applications, such that communication between said reverse database proxy and said one of said plurality of accessing applications is secured by a first certificate; providing a second secure channel over said second network, wherein said second secure channel comprises a second certificate, and wherein said reverse database proxy issues said second certificate to a receiving database, such that communication between said reverse database proxy and said receiving database is secured by a second certificate; sending a database query from one of said plurality of accessing applications to said reverse database proxy over said first secure channel; analyzing said database query by said reverse database proxy to determine whether said database query is acceptable according to at least one security policy and to determine an address of a receiving database from one of said plurality of databases for receiving said database query; when said database query is acceptable, passing said database query to said address of said receiving database over said second secure channel by said reverse database proxy; receiving a database response by said reverse database proxy from said receiving database over said second secure channel; analyzing said database response by said reverse database proxy to determine whether said database response is acceptable according to at least one security policy; and when said database response is acceptable, then transferring said database response to said one of said plurality of accessing applications over said first secure channel by said reverse database proxy. - View Dependent Claims (17, 18, 19, 20, 21)
-
Specification