securing your database servers from external attacks
play

Securing your database servers from external attacks Alkin Tezuysal - PowerPoint PPT Presentation

Oct 13, 2023 •112 likes •429 views

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona) Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) Technical

  1. Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)

  2. Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) ● ● Technical Security Evangelist Open Source Database Evangelist ● ● Open Source Evangelist Global Database Operations Expert ● ● Certified Information Systems Security Professional Cloud Infrastructure Architect AWS ● ● Assistant Scout Leader Inspiring Technical and Strategic Leader ● ● Assistant Instructor computing for children Creative Team Builder ● ● Ju-Jitsu nidan and ex-Instructor Speaker, Mentor, and Coach ● Outdoor Enthusiast 2

  3. Agenda Security Common Sense ● MySQL Security ● MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ○ Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q & A ● 3

  4. Database Security Best Practices Apply Common Sense here

  5. Security Do’s Restrict access to database hosts ● Not just to the Database service ○ Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking ● external vulnerabilities 5

  6. Password Attacks Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature ● rich? MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...) ● 6

  7. Network Operations All connections must use SSL (or other encryption) ● Performance impact is minimal versus risks ○ Mysql ~>= 5.7 has SSL connection by default ● Ensure >= 5.7.13 ○ Network encrypted tunnel options ● N2N, openvpn (TLS), ssh tunnel, IPSEC, ○ Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n 7

  8. MySQL Data Encryption Disk Volume encryption ● BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, ○ EBS encrypted volumes (please use KMS for encryption keys!) At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs ● Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html 8

  9. Connection Overhead https://tinyurl.com/ycldtnpk https://tinyurl.com/y7v7jhmo 9

  10. Security Features by MySQL MySQL variants

  11. MySQL Variants MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 ● Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html 11

  12. MySQL Security by Version ● GRANT (3.23) ● ALTER USER (5.6) ● REVOKE (3.23) ● SHOW CREATE USER (5.7) ● SET PASSWORD (3.23) ● CREATE ROLE (8.0) ● SHOW GRANTS (3.23) ● DROP ROLE (8.0) ● DROP USER (4.1) ● SET ROLE (8.0) ● SHOW PRIVILEGES (4.1) ● SET DEFAULT ROLE (8.0) ● CREATE USER (5.0) ● RENAME USER (5.0) 12

  13. Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv 13

  14. Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.7 - grep for root password on installation, ● 5.5 - pluggable authentication (MariaDB 5.2 password expiry every ‘n’ days, user accounts backport), proxy users, changes in mysql.user can be locked/unlocked, mysql_ssl_rsa_setup, table, client password warning; Enterprise mysql.user.password removed, provided Audit and PAM authentication (present super_read_only, at rest tablespace encryption again in Percona Server for MySQL and ● 8.0 - roles + mysql.user changes MariaDB Server) ● Percona Server ● 5.6 - encrypted client credentials ○ MySQL 5.5 - extended SHOW GRANTS, (mysql_config_editor), sha256_password, utility user, userstats , Audit Plugin password expiry, ○ MySQL 5.6 - super_read_only VALIDATE_PASSWORD_STRENGTH(), --random-passwords (optional random on ○ MySQL 5.7 - Vault plugin install), mysql.user password_expired column; Enterprise Firewall 14

  15. Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ■ ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time! 15

  16. MySQL Security in the Cloud AWS Focused

  17. Pillars of AWS Security Data Protection Privilege Management Security Infrastructure Detective Controls Management 17

  18. AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config 18

  19. AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration 19

  20. AWS Shared Responsibility Model 20

  21. AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys 21

  22. In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/ 22

  23. Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility 23

  24. Utilizing AWS VPC 24

  25. MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL 25

  26. AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL) , Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account. 26

  27. References and Credits References: Credits: ● Colin Charles ● AWS Security Best Practices ● Janos Ruzso ● AIM Best Practices ● Tibor Korocz ● Amazon Virtual Private Cloud ● Jervin Real Connectivity Options ● Daniel van Eeden ● VPC Networking Components ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask 27

  28. Questions and Answer

  29. Thank You Sponsors!! 29

  30. Rate My Session 30

Recommend

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

318 views • 29 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the outside To protect Linux VMs from outside attacks (from processes running on the host). Injecting code into the boot chain. Stealing data from

559 views • 18 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of

CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of

CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of Cow Book Slide ACKs: Jignesh Patel, Paris Koutris 1 External Sorting: Outline Overview and Warm-up Multi-way External Merge Sort (EMS)

332 views • 20 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external

Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external

Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external sorting? n Problem: sort 1TB of data with 1GB of RAM. why not virtual memory? Swap involves expensive IOs 2 Using secondary storage

646 views • 30 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N.

Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N.

Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N. Mancheril I. Pandis A. Ailamaki R. Johnson B. Falsafi Benjamin Reilly September 27, 2011 Tuesday, 27 September, 11 The fattened cache (and CPU)

970 views • 19 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu

Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu

Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu Examples of db-powered web sites Google.com (search engine) Amazon.com (shopping) eBay.com (auctions) WellsFargo.com (online banking)

1.03k views • 21 slides
Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine &amp; Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

777 views • 29 slides
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs , Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson pag225@cornell.edu, @pag_crypto Outsourced Databases Database Encrypting Outsourced

705 views • 23 slides
Timing Attacks for Recovering Private Entries From Database Engines August 1, 2007 Damian

Timing Attacks for Recovering Private Entries From Database Engines August 1, 2007 Damian

Timing Attacks for Recovering Private Entries From Database Engines August 1, 2007 Damian Saura, Ariel Futoransky and Ariel Waissbein -Core Security Technologies- Why are DBs interesting to attackers Database management systems are used

826 views • 57 slides
Dynamic Resource Allocation for Database Servers Running on Virtual Storage Gokul Soundararajan,

Dynamic Resource Allocation for Database Servers Running on Virtual Storage Gokul Soundararajan,

Dynamic Resource Allocation for Database Servers Running on Virtual Storage Gokul Soundararajan, Daniel Lupei, Saeed Ghanbari, Adrian Daniel Popescu, Jin Chen, Cristiana Amza University of Toronto 1 Multi-tier Resource Allocation

922 views • 44 slides
Staff has concerns over the setbacks of the second floor patio and will be conditioning that the

Staff has concerns over the setbacks of the second floor patio and will be conditioning that the

From: Liska, Andrew &lt;Andrew.Liska@minneapolismn.gov&gt; Sent: Wednesday, August 19, 2020 2:34 PM To: Michael Subject: RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] RE: [EXTERNAL] 1219 31st W Joyce Church Hi,

366 views • 3 slides
1 Using m ultiple database Three-tier architecture / 2 servers The database server only

1 Using m ultiple database Three-tier architecture / 2 servers The database server only

MORE ON ARCHI TECTURES Monolithic Architecture / 1 The main reasons for using an architecture are Monolithic systems are not divided into maintainability and performance . independent parts. They typically run on a single We want

270 views • 3 slides
External Sorting Module 2, Lecture 6 Database Management Systems, R. Ramakrishnan 1 Why Sort?

External Sorting Module 2, Lecture 6 Database Management Systems, R. Ramakrishnan 1 Why Sort?

External Sorting Module 2, Lecture 6 Database Management Systems, R. Ramakrishnan 1 Why Sort? A classic problem in computer science! Data requested in sorted order e.g., find students in increasing gpa order Sorting is first step

360 views • 19 slides
Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson CASYS team seminar, Grenoble, December 2018 Outsourcing Data with Search Capabilities Data

534 views • 38 slides
IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT

IoT Security Image: xkcd How is securing IoT different from securing any other system? IoT is a system of systems, with A great deal of heterogeneity (sensing, computation, communication, energy) New types of devices appearing all

1.35k views • 65 slides
Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT Advise Assure 2 Agenda/topics covered Threat overview Advanced User Enumeration and DDoS Trading Turret and Timing Attacks Internal and External User

365 views • 35 slides

More recommend