database systems security in an enterprise environment l.
Skip this Video
Download Presentation
Database Systems Security in an Enterprise Environment

Loading in 2 Seconds...

play fullscreen
1 / 17

Database Systems Security in an Enterprise Environment - PowerPoint PPT Presentation

  • Uploaded on

Database Systems Security in an Enterprise Environment. Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003 Database Systems Security – Background. Need

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Database Systems Security in an Enterprise Environment' - diandra

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
database systems security in an enterprise environment

Database Systems Security in an Enterprise Environment

Paul J. Wagner

University of Wisconsin – Eau Claire

St. Cloud Security Workshop, May 2003

database systems security background
Database Systems Security – Background
  • Need
    • Security curriculum is relatively light in database systems area
      • Focus currently on protecting information through network configuration, systems administration, application security
      • Need to specifically consider database system security issues
    • What is most valuable – data, systems, or network?
  • Goals
    • Understand security issues in a general database system environment
    • Consider database security issues in context of general security principles and ideas
    • Focus on Oracle as a common DBMS, but realize there are similar issues for other DBMSs
main message
Main Message
  • Database system security is more than securing the database
    • Secure database
    • Secure DBMS
    • Secure applications
    • Secure operating system (in relation to database system)
    • Secure web server (in relation to database system)
    • Secure network environment (in relation to database system)
secure database s
Secure Database(s)
  • Traditional database security topics and issues
    • Users and Passwords
      • Default users/passwords
        • Oracle: sys, system accounts – privileged, with default passwords
        • Oracle: scott account – well-known account and password, part of public group
          • e.g. public can access all_users table
      • Need for general password policies (length, domain, changing, protection, …)
      • Need for general account policies (who gets, what level of privilege, when expires, …)
secure database s cont
Secure Database(s) – cont.
  • Privileges and Roles
    • Privileges
      • System – on actions (e.g. selecting, deleting, creating, …)
      • Object – on data objects (e.g. on particular table)
    • Roles
      • Collections of system privileges
      • Advantage: easier management
      • Disadvantage: tend to give more privilege than needed
        • Commonly heard Oracle user request: “Just give me DBA role to make it work and we’ll figure out the exact privilege I need later.”
    • Grant / Revoke
      • Giving (removing )privileges or roles to (from) users
      • Problem – often done haphazardly
    • Need for continual management of privileges and roles
    • Need for policies on privilege/role management
secure dbms
Secure DBMS
  • Possible Holes in DBMS
    • Oracle: (50+ listed)
      • Types of exploits
        • Buffer overflow problems in DBMS code
        • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others)
    • Similar information available for DB2, SQL Server, PostgreSQL, MySQL, …
    • Oracle: UTL_FILE package in PL/SQL
      • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora
      • possible access through symbolic links
secure dbms cont
Secure DBMS (cont.)
  • Need for continual patching of DBMS
    • Encourage awareness of DBMS vulnerability issues
    • Continuous vigilance is essential
    • Cost of not patching can be huge
      • SQL Slammer Worm
        • fast propagation – max scan rate of 55 million systems/second
        • affected approximately 80,000 systems, significant segments of Internet
        • 376 byte UDP packet that exploited a buffer overflow vulnerability
        • patch had long been available
        • significant effects on business database servers
          • Credit verification, Phone systems, Banks/ATMs
secure dbms cont8
Secure DBMS (cont.)
  • Use security features of DBMS
    • Oracle: Virtual Private Databases (VPDs)
      • Support for fine-grain data security (e.g. multiple clients can have data in same schema without knowing other data is there)
    • Oracle: Oracle Label Security
      • Use of VPDs to achieve row-level security, controlled from Policy Manager tool under Enterprise Manager
  • Implement auditing
    • Good policy: develop a comprehensive audit system for database activity tracking
      • DBMS tools, user-developed tools (e.g. using triggers)
      • Oracle: can write to OS as well as into database for additional security, accountability for all working with databases
secure application development
Secure Application Development
  • Access to database system is often through applications
  • Example: SQL Injection Attack through web front end
    • Scenario: Software system tracks own usernames and passwords in database
    • Client application accepts username and password, passes as parameters
    • An SQL query is built dynamically, combining SQL text pieces in the server application and the client-supplied parameters
    • DBMS executes query on system user table, checks for valid user/password combination in this table
    • DBMS returns 0, 1 or more user/password rows to application
    • Application checks result and allows or denies access accordingly
sql injection
SQL Injection
  • Application Java code contains SQL statement:
    • String query = "SELECT * FROM users_table " +

" WHERE username = " + " ‘ " + username + " ‘ " +

" AND password = " + " ‘ " + password + " ‘ " ;

- SQL strings must be single quoted

  • Application is expecting one (valid) row to be returned if success, no rows if failure
  • Attacker enters arbitrary username: anyname, but special “password” of: Aa ‘ OR ‘ ‘ = ‘
  • Dynamically-constructed query becomes:

SELECT * FROM users_table

WHERE username = ‘anyname‘

AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;

  • Where clause: F AND F OR T => F OR T => T !
  • All user rows returned to application
  • If application checking for 0 vs. more than 0 rows, attacker is in
  • Need to check application input – generally not good to allow special characters in through client-side parameters
secure application development11
Secure Application Development
  • Application Security in the Enterprise Environment
    • J2EE
    • .NET
    • Large number of interactions between application environment and database systems
  • Tactic: Use of Proxy Applications
    • Assume network filtering most problem traffic
    • Application can control fine-grain behavior, application protocol security
  • Security Patterns (from J2EE Design Patterns Applied)
    • Single-Access Point Pattern
      • single point of entry into system
    • Check Point Pattern
      • centralized enforcement of authorization when requesting resources
    • Role Pattern
      • disassociation of users and privileges for easier management
secure operating system
Secure Operating System
  • Interaction of DBMS and OS
    • Oracle on Windows
      • Secure administrative accounts
      • Control registry access
      • Need good account policies
      • Others…
    • Oracle on Linux/Unix
      • Choose different account names than standard suggestions
      • Restrict use of the account that owns Oracle software
      • Secure temporary directory
      • Some Oracle files are SUID (root)
      • Command line SQL*Plus with user/pass parameters appears under ps output
      • Others…
secure web server
Secure Web Server
  • Interaction of Oracle and Web Server
  • Apache now provided within Oracle as its application server, started by default
  • Apache issues
    • Standard configuration has some potential problems
      • See Oracle Security Handbook for more discussion
    • Ensure secure communication from web clients to web server
    • Use MaxClients to limit possible connections, avoid Denial of Service attacks
    • Others…
  • Internet Information Server (IIS) issues
    • Integration with other MS products (e.g. Exchange Server)
    • Known vulnerabilities
    • Others…
secure web server cont
Secure Web Server (cont.)
  • Web is often front-end / gateway to DBMS
  • DBMS/database should be black-box to user
  • Attacker can force errors trying to gain information
  • Which error message should be displayed when asking for an incorrectly named Java Server Page?

Sorry, that file

is not found /u01/prodcomm/portal/x.jsp

at method)


at oracle.jsp.provider.JspFilesystemResource(…)



secure network
Secure Network
  • Interaction of DBMS and Network
    • DBMS server should be behind firewall
      • Good to separate DB and web servers (mitigate losses if hacked)
      • DB server should be behind firewall, web server usually in DMZ
      • Oracle: Connections normally initiated on port 1521, but port is then dynamically selected – management of port access is made more difficult
        • Anyone with Oracle client software who knows your host IP/name and database instance name can configure client to connect to your database instance
    • Oracle Advanced Security (OAS) product
      • Features for:
        • Authentication
        • Integrity
        • Encryption – use of SSL
    • Other Network Issues To Consider
      • Possibility of hijacking a privileged user connection
      • Various sniffing and spoofing issues
messages revisited
Messages Revisited
  • Database system security is more than securing the database
    • Secure database
    • Secure DBMS
    • Secure applications
    • Secure operating system
    • Secure web server
    • Secure network environment
  • General security principles apply in database system security
    • Security is a process, not a product
    • Security chain is only as strong as its weakest link
    • Best security defense utilizes multiple layers
  • “Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001.
  • “Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999.
  • “Investigation of Default Oracle Accounts”,
  • Again, slides and security links available at: