MySQL 5.7 Secure Deployment Guide  /  Installing the MySQL Enterprise Firewall Plugin

Chapter 8 Installing the MySQL Enterprise Firewall Plugin

MySQL Enterprise Firewall is an application-level firewall that enables database administrators to permit or deny SQL statement execution based on matching against whitelists of accepted statement patterns. This helps harden MySQL against attacks such as SQL injection or attempts to exploit applications by using them outside of their legitimate query workload characteristics.

Each MySQL account registered with the firewall has its own statement whitelist, enabling protection to be tailored per account. For a given account, the firewall can operate in recording, protecting, or detecting mode, for training in the accepted statement patterns, active protection against unacceptable statements, or passive detection of unacceptable statements.

MySQL Enterprise Firewall installation is a one-time operation that involves running a script located in the share directory of your MySQL installation.

To install MySQL Enterprise Firewall:

  1. Run the linux_install_firewall.sql script that is located in the /usr/local/mysql/share directory.

    The installation script creates stored procedures in the default database, so choose a database to use. Then run the script as follows, naming the chosen database on the command line. This deployment uses the mysql database.

    shell> cd /usr/local/mysql
    shell> bin/mysql -u root -p mysql < /usr/local/mysql/share/linux_install_firewall.sql
    Enter password: (enter root password here)
  2. MySQL Enterprise Firewall does not work together with the query cache. By default, the query cache is disabled. Ensure that the query cache remains disabled by specify these settings under the [mysqld] option group in the MySQL configuration file:

    query_cache_type=0
    query_cache_size=0

    Setting query_cache_size to 0 deallocates the query cache buffer.

  3. To enable the firewall, enable the mysql_firewall_mode system variable. By default, this variable is enabled when the firewall is installed. To configure the firewall state explicitly, add it under the [mysqld] option group in the MySQL configuration file:

    mysql_firewall_mode=ON
  4. Restart MySQL server to apply the new configuration settings.

    shell> systemctl restart mysqld
  5. To verify that MySQL Enterprise Firewall is enabled, connect to the server and execute this statement:

    shell> cd /usr/local/mysql 
    shell> bin/mysql -u root -p
    Enter password: (enter the root password here)
    mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';
    +---------------------+-------+
    | Variable_name       | Value |
    +---------------------+-------+
    | mysql_firewall_mode | ON    |
    +---------------------+-------+

MySQL Enterprise Firewall is now enabled an ready for use. For information about registering accounts with the firewall and configuring operational modes, see Using MySQL Enterprise Firewall.


User Comments
Sign Up Login You must be logged in to post a comment.