Database access security

US 7,904,454 B2
Filed: 06/16/2002
Issued: 03/08/2011
Est. Priority Date: 07/16/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A security filter device including a server configured for monitoring an external network connection for database commands to protect database objects from unwanted access comprising:

a data packet inspection unit resident on a node other than a database manager receiving the database commands, and coupled to the network connection for inspecting passing data packets to find and carry out an analysis of database operation text within said packet, the data packet inspection unit configured in association with a firewall between an external network and an internal LAN containing the database objects for guarding a respective database, the data packet inspection unit comprising;

a packet analysis unit to look for structure associated with database operation text; and

a parsing unit, associated with said packet analysis unit to parse said database operation text into underlying statements comprising at least database operation commands and database objects; and

an enforcement unit, associated with said data packet inspection unit for applying enforcement rules to said data packet, based at least partly on said analysis, the enforcement unit operable to protect respective database objects, the data packet inspection unit configured to first identify database communication packets from other types of packets, and then to pass database destined access attempts to the enforcement unit for application of the enforcement rules based on the database operation commands and database objects.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus for protection of database objects from unwanted access, particularly from external connections via a firewall (20). The apparatus comprises a data packet parsing unit (54) for parsing a data packet to find database operation commands in the packet, and an enforcement unit (56) for applying enforcement rules to the data packet, thereby to protect respective database objects. The apparatus may form an additional layer (50, 52) of protection in conjunction with a firewall (20) to protect internal data.

196 Citations

30 Claims

1. A security filter device including a server configured for monitoring an external network connection for database commands to protect database objects from unwanted access comprising:
- a data packet inspection unit resident on a node other than a database manager receiving the database commands, and coupled to the network connection for inspecting passing data packets to find and carry out an analysis of database operation text within said packet, the data packet inspection unit configured in association with a firewall between an external network and an internal LAN containing the database objects for guarding a respective database, the data packet inspection unit comprising;
  
  a packet analysis unit to look for structure associated with database operation text; and
  
  a parsing unit, associated with said packet analysis unit to parse said database operation text into underlying statements comprising at least database operation commands and database objects; and
  
  an enforcement unit, associated with said data packet inspection unit for applying enforcement rules to said data packet, based at least partly on said analysis, the enforcement unit operable to protect respective database objects, the data packet inspection unit configured to first identify database communication packets from other types of packets, and then to pass database destined access attempts to the enforcement unit for application of the enforcement rules based on the database operation commands and database objects.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The security filter device according to claim 1, wherein said data packet inspection unit is configurable to be positioned between two LANs.
  - 3. The security filter device according to claim 1, wherein said data packet inspection unit is further operable to find information regarding sources of respective data packets and regarding data objects of respective commands.
  - 4. The security filter device according to claim 3, wherein said enforcement rules each comprise at least one condition, said condition being the presence in the database operation text of a predetermined database operation command.
  - 5. The security filter device according to claim 3, wherein said enforcement rules each comprise at least one condition, said condition being the presence in the database operation text of any one of a group of database operation commands belonging to a preformulated group.
  - 6. The security filter device according to claim 3, wherein said enforcement rules each comprise at least one condition, said condition being the specification within the database operation text of a predetermined database object.
  - 7. The security filter device according to claim 3, wherein said enforcement rules each comprise at least one condition, said condition being the specification within the database operation text of any one of a group of database objects belonging to a preformulated group.
  - 8. The security filter device according to claim 1, further comprising a management module for setting said enforcement rules.
  - 9. The security filter device according to claim 8, wherein said management module is further operable to define groups of database commands, said groups being usable to define said enforcement rules.
  - 10. The security filter device according to claim 8, wherein said management module is accessible via a graphical user interface.
  - 11. The security filter device according to claim 10, wherein said management module is operable to set an access policy comprising a plurality of rules, each rule specifying a group of commands, a group of users and a group of data objects, said access policy being transferable to said enforcement unit.
  - 12. The security filter device according to claim 1, wherein at least some of said enforcement rules define logging activities and said enforcement unit further comprises logging functionality therefor.
  - 13. The security filter device according to claim 1, wherein said inspecting comprises obtaining a signature from said database operation text and wherein at least some of said enforcement rules relate at least in part to said signatures.
  - 14. The security filter device according to claim 1, wherein said data packet inspection unit is operable as an addressable node having a node address, the node address recognized by the external network.
  - 15. The security filter device of claim 1, wherein the data packet inspection unit is disposed on an external connection to the database for examining data packets independently of local connections, the enforcement unit responsive to packets identified by the data packet inspection unit for selectively restricting access according to the enforcement rules.
  - 16. The security filter device of claim 1 wherein:
    - the data packet inspection unit receives packets from a firewall, the received packets having passed access scrutiny imposed by the firewall, and identifies the received packets as database access packets, the database access packets emanating from a user and indicative of a requested operation to be performed on a database object; and
      
      the enforcement unit determines selective access based on the emanating user, the requested operation, and the database object.
  - 17. The security filter device of claim 1 wherein the structure is defined according to a database protocol for performing field based queries.
  - 18. The security filter device of claim 1 wherein the database operation text includes a command denoting an action, and an object, denoting the data to be changed, the changed data including user data stored on behalf of a user for subsequent access and retrieval.
  - 19. The security filter device of claim 1 wherein the enforcement rules referring to the database operation text include:
    - a command name indicative of at least one syntax element of a database protocol indicative of the commands the enforcement rule applies;
      
      an object name indicative of database fields to which the enforcement rule applies;
      
      an action to be performed upon application of the enforcement rule; and
      
      a priority indicating precedence in the event multiple rules apply to the database operation text.
  - 20. The security filter device of claim 1 wherein the data packet inspection unit is further configured for inspecting both the incoming commands and objects and a returned result of the commands and objects.

21. In a server configured for monitoring an external network connection for database commands, a method for protection of database objects from unwanted access comprising:
- parsing, on a node other than a database manager receiving the database commands, a data packet to find database operation commands in said packet;
  
  finding information regarding sources of respective data packets and regarding data objects of respective commands, said finding information regarding sources of respective data packets being carried out per user connection, the method further comprising associating said sources with data packets of said user connection, associating further comprising;
  
  analyzing the data packets to look for structure associated with database operation text; and
  
  parsing said database operation text into underlying statements comprising at least database operation commands and database objects; and
  
  applying enforcement rules to said data packet, the enforcement rules specifying conditions based at least partially on the found information and on said database operation commands for protecting the respective database objects, the applied enforcement per user connection providing selective database access based on the user, database object and database operation independently of firewall enforcement actions, enforcement further comprising;
  
  first identifying database communication packets from other types of packets, andpassing database destined access attempts for application of the enforcement rules based on the database operation commands and database objects.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method according to claim 21, further comprising applying said enforcement rules selectively to said data packets, depending on information found in respective data packets by said parsing.
  - 23. The method according to claim 22, wherein said database operation commands are arranged in groups and wherein said enforcement rules relate to said groups.
  - 24. The method according to claim 23, wherein said sources are arranged in groups and said enforcement rules relate to said groups.
  - 25. The method according to claim 24, wherein said database objects are arranged in groups and wherein said enforcement rules relate to said groups.
  - 26. The method according to claim 21, further comprising arranging said database commands into groups and using said groups to define said enforcement rules.
  - 27. The method according to claim 26, further comprising forming an access policy by arranging together a plurality of rules for use.
  - 28. The method of claim 21 wherein parsing further comprises identifying data packets corresponding to a data access transaction conformant to a predetermined data access protocol.
  - 29. The method of claim 28 wherein the data access transaction is indicative of statements corresponding to the database operation commands, further comprising interpreting the statements and comparing the statements to rules operable to indicate allowability of the data access transaction.
  - 30. The method of claim 29 wherein the statements correspond to SQL text according to SQL syntax.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Raab, Moshe
Primary Examiner(s)
Breene; John E
Assistant Examiner(s)
MYINT, DENNIS Y

Application Number

US10/483,275
Publication Number

US 20060059154A1
Time in Patent Office

3,187 Days
Field of Search

707/9, 707/101, 707/749, 707/733
US Class Current

707/733
CPC Class Codes

G06F 21/6227   where protection concerns t...

H04L 63/0245   Filtering by information in...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

Database access security

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Database access security

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others