Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be secured. Creative Commons Attribution License http://momjian.us/presentations Securing PostgreSQL, From External Attack 1 / 29
Attack V ectors Securing PostgreSQL, From External Attack 2 / 29
External Attack V ectors ◮ ’Trust’ security ◮ Passwords / authentication theft ◮ Network snooping ◮ Network pass-through spoofing ◮ Server / backup theft ◮ Administrator access Securing PostgreSQL, From External Attack 3 / 29
Internal Attack V ectors (Not Covered) ◮ Database object permissions ◮ SQL injection attacks ◮ Application vulnerability ◮ Operating system compromise Securing PostgreSQL, From External Attack 4 / 29
Authentication Security http://www.my-time-machines.net/mosler_34.htm Securing PostgreSQL, From External Attack 5 / 29
Avoid ’Trust’ Security # TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust Solution: Use the initdb -A flag, i.e., you don’t want to see this: WARNING: enabling "trust" authentication for local connections Y ou can change this by editing pg_hba.conf or using the -A option the next time you run initdb. Securing PostgreSQL, From External Attack 6 / 29
Password Snooping Connection Request PostgreSQL Database Need Password Database Client Password Sent Server Vulnerable to snooping md5(password+username) md5(password+username) md5(password+username) md5(password+username) Using ’username’ in the MD5 string prevents the same password used by different users from appearing the same. It also adds some randomness to the md5 checksums. Securing PostgreSQL, From External Attack 7 / 29
MD5 Authentication Prevents Password Snooping connection request PostgreSQL need password, sent random salt Database Database Client md5(md5(password+username) + salt) Server md5(password+username) md5(password+username) md5(password+username) md5(password+username) Securing PostgreSQL, From External Attack 8 / 29
MD5 Authentication Prevents Password Replay connection request PostgreSQL need password, sent random salt0 Database Database Client md5(md5(password+username) + salt0) Server OK md5(password+username) connection request md5(password+username) Malicious md5(password+username) need password, sent random salt1 Database md5(password+username) Client md5(md5(password+username) + salt0) X replay salt is a random four-byte integer so millions of connection attempts might allow the reuse of an old authentication reply. Securing PostgreSQL, From External Attack 9 / 29
Password Attacks ◮ Weak passwords ◮ Reuse of old passwords ◮ Brute-Force password attacks None of these vulnerabilities is prevented by Postgres directly, but external authentication methods, like LDAP , PAM , and SSPI , can prevent them. Securing PostgreSQL, From External Attack 10 / 29
Queries and Data Still Vulnerable to Network Snooping SELECT * FROM customers; PostgreSQL Barr Bearings | $10230 | James Akel Database Database Client Queries and data vulnerable to snooping Server Password changes are also vulnerable to snooping. Securing PostgreSQL, From External Attack 11 / 29
SSL Prevents Snooping By Encrypting Queries and Data AES256(SELECT * FROM customers); PostgreSQL AES256(Barr Bearings | $10230 | James Akel) Database Database Client Queries and data encrypted by SSL Server Securing PostgreSQL, From External Attack 12 / 29
Preventing Spoofing http://redwing.hutman.net/~mreed/warriorshtm/impostor.htm Securing PostgreSQL, From External Attack 13 / 29
Localhost Spoofing While the Database Server Is Down Connection Request Fake PostgreSQL Database Need Plain Password Database Client Password Sent Server X Records passwords for later use with the real server Uses a fake socket or binds to port 5432 while the real server is down. (/tmp is world-writable and 5432 is not a root-only port.) The server controls the choice of ’password’ instead of ’md5’. Securing PostgreSQL, From External Attack 14 / 29
Network Spoofing Connection Request Fake PostgreSQL Database Need Plain Password Database Client Password Sent Server X Records passwords for later use with the real server Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Securing PostgreSQL, From External Attack 15 / 29
Network Spoofing Pass-Through Connection Request Fake PostgreSQL PostgreSQL Database Need Plain Password Database Database Client Password Sent Server Server OK Query Records passwords for later Result use with the real server. It can also capture queries, data, and inject its own Query queries. Result Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Securing PostgreSQL, From External Attack 16 / 29
SSL ’Prefer’ Is Not Secure SSL or Non−SSL Prefer SSL Fake PostgreSQL PostgreSQL Database No SSL Database Database Client Non−SSL Server Server OK Query Records passwords for later Result use with the real server. It can also capture queries, data, and inject its own Query queries. Result Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Securing PostgreSQL, From External Attack 17 / 29
SSL ’Require’ Is Not Secure From Spoofing SSL or Non−SSL Require SSL Fake PostgreSQL PostgreSQL Database OK SSL Database Database Client SSL Server Server OK Query Records passwords for later Result use with the real server. It can also capture queries, data, and inject its own Query queries. Result Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Securing PostgreSQL, From External Attack 18 / 29
SSL ’V erify-CA’ Is Secure From Spoofing SSL verify-ca Fake PostgreSQL PostgreSQL Database Invalid certificate Database Database X Client (no CA signature) Server Server root.crt server.crt Securing PostgreSQL, From External Attack 19 / 29
SSL ’V erify-full’ Is Secure Even From Some Certificate Thefts SSL verify−full Fake PostgreSQL PostgreSQL Database Invalid certificate Database Database X Client (hostname mismatch) Server Server root.crt ������� ������� server.crt server.crt ������� ������� Certificate stolen from a CA−trusted computer, but not the database server. Securing PostgreSQL, From External Attack 20 / 29
Data Encryption T o Avoid Data Theft http://jproc.ca/crypto/enigma.html Securing PostgreSQL, From External Attack 21 / 29
Disk Volume Encryption http://www.pclaunches.com/ Securing PostgreSQL, From External Attack 22 / 29
Column Encryption id | name | credit_card_number --------+--------------------+------------------------------ 428914 | Piller Plaster Co. | \xc30d04070302254dc045353f28 ; 456cd241013e2d421e198f3320e8 ; 41a7e4f751ebd9e2938cb6932390 ; 5c339c02b5a8580663d6249eb24f ; 192e226c1647dc02536eb6a79a65 ; 3f3ed455ffc5726ca2b67430d5 Encryption methods are decryptable (e.g. AES), while hashes are one-way (e.g. MD5). A one-way hash is best for data like passwords that only need to be checked for a match, rather than decrypted. Securing PostgreSQL, From External Attack 23 / 29
Where to Store the Key? On the Server SELECT * FROM customers; PostgreSQL Barr Bearings | $10230 | James Akel Database Database Client Decrypted data Server key Securing PostgreSQL, From External Attack 24 / 29
Store the Key on an Intermediate Server SELECT SELECT Cryptographic PostgreSQL V#ja20a Database Barr Bearings Server Database Client Decrypted Encrypted Server key Securing PostgreSQL, From External Attack 25 / 29
Store the Key on the Client and Encrypt/Decrypt on the Server SELECT decrypt(col, key) FROM customers; PostgreSQL Barr Bearings | $10230 | James Akel Database Database Client Decrypted data Server key Securing PostgreSQL, From External Attack 26 / 29
Encrypt/Decrypt on the Client SELECT * FROM customers; PostgreSQL V#aei32ok3 Database Database Client Encrypted data Server key This prevents server administrators from viewing sensitive data. Securing PostgreSQL, From External Attack 27 / 29
Store the Key on a Client Hardware T oken SELECT * FROM customers; PostgreSQL V#aei32ok3 Database Database Client Encrypted data key Server This prevents problems caused by client hardware theft. Securing PostgreSQL, From External Attack 28 / 29
Conclusion http://momjian.us/presentations Todd Ehlers, Flickr Securing PostgreSQL, From External Attack 29 / 29
Recommend
More recommend