database systems security in an enterprise environment l.
Download
Skip this Video
Download Presentation
Database Systems Security in an Enterprise Environment

Loading in 2 Seconds...

play fullscreen
1 / 17

Database Systems Security in an Enterprise Environment - PowerPoint PPT Presentation


  • 136 Views
  • Uploaded on

Database Systems Security in an Enterprise Environment. Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003 http://www.cs.uwec.edu/~wagnerpj/security/. Database Systems Security – Background. Need

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Database Systems Security in an Enterprise Environment' - diandra


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
database systems security in an enterprise environment

Database Systems Security in an Enterprise Environment

Paul J. Wagner

University of Wisconsin – Eau Claire

St. Cloud Security Workshop, May 2003

http://www.cs.uwec.edu/~wagnerpj/security/

database systems security background
Database Systems Security – Background
  • Need
    • Security curriculum is relatively light in database systems area
      • Focus currently on protecting information through network configuration, systems administration, application security
      • Need to specifically consider database system security issues
    • What is most valuable – data, systems, or network?
  • Goals
    • Understand security issues in a general database system environment
    • Consider database security issues in context of general security principles and ideas
    • Focus on Oracle as a common DBMS, but realize there are similar issues for other DBMSs
main message
Main Message
  • Database system security is more than securing the database
    • Secure database
    • Secure DBMS
    • Secure applications
    • Secure operating system (in relation to database system)
    • Secure web server (in relation to database system)
    • Secure network environment (in relation to database system)
secure database s
Secure Database(s)
  • Traditional database security topics and issues
    • Users and Passwords
      • Default users/passwords
        • Oracle: sys, system accounts – privileged, with default passwords
        • Oracle: scott account – well-known account and password, part of public group
          • e.g. public can access all_users table
      • Need for general password policies (length, domain, changing, protection, …)
      • Need for general account policies (who gets, what level of privilege, when expires, …)
secure database s cont
Secure Database(s) – cont.
  • Privileges and Roles
    • Privileges
      • System – on actions (e.g. selecting, deleting, creating, …)
      • Object – on data objects (e.g. on particular table)
    • Roles
      • Collections of system privileges
      • Advantage: easier management
      • Disadvantage: tend to give more privilege than needed
        • Commonly heard Oracle user request: “Just give me DBA role to make it work and we’ll figure out the exact privilege I need later.”
    • Grant / Revoke
      • Giving (removing )privileges or roles to (from) users
      • Problem – often done haphazardly
    • Need for continual management of privileges and roles
    • Need for policies on privilege/role management
secure dbms
Secure DBMS
  • Possible Holes in DBMS
    • Oracle: http://technet.oracle.com/deploy/security/alerts.htm (50+ listed)
      • Types of exploits
        • Buffer overflow problems in DBMS code
        • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others)
    • Similar information available for DB2, SQL Server, PostgreSQL, MySQL, …
    • Oracle: UTL_FILE package in PL/SQL
      • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora
      • possible access through symbolic links
secure dbms cont
Secure DBMS (cont.)
  • Need for continual patching of DBMS
    • Encourage awareness of DBMS vulnerability issues
    • Continuous vigilance is essential
    • Cost of not patching can be huge
      • SQL Slammer Worm
        • fast propagation – max scan rate of 55 million systems/second
        • affected approximately 80,000 systems, significant segments of Internet
        • 376 byte UDP packet that exploited a buffer overflow vulnerability
        • patch had long been available
        • significant effects on business database servers
          • Credit verification, Phone systems, Banks/ATMs
secure dbms cont8
Secure DBMS (cont.)
  • Use security features of DBMS
    • Oracle: Virtual Private Databases (VPDs)
      • Support for fine-grain data security (e.g. multiple clients can have data in same schema without knowing other data is there)
    • Oracle: Oracle Label Security
      • Use of VPDs to achieve row-level security, controlled from Policy Manager tool under Enterprise Manager
  • Implement auditing
    • Good policy: develop a comprehensive audit system for database activity tracking
      • DBMS tools, user-developed tools (e.g. using triggers)
      • Oracle: can write to OS as well as into database for additional security, accountability for all working with databases
secure application development
Secure Application Development
  • Access to database system is often through applications
  • Example: SQL Injection Attack through web front end
    • Scenario: Software system tracks own usernames and passwords in database
    • Client application accepts username and password, passes as parameters
    • An SQL query is built dynamically, combining SQL text pieces in the server application and the client-supplied parameters
    • DBMS executes query on system user table, checks for valid user/password combination in this table
    • DBMS returns 0, 1 or more user/password rows to application
    • Application checks result and allows or denies access accordingly
sql injection
SQL Injection
  • Application Java code contains SQL statement:
    • String query = "SELECT * FROM users_table " +

" WHERE username = " + " ‘ " + username + " ‘ " +

" AND password = " + " ‘ " + password + " ‘ " ;

- SQL strings must be single quoted

  • Application is expecting one (valid) row to be returned if success, no rows if failure
  • Attacker enters arbitrary username: anyname, but special “password” of: Aa ‘ OR ‘ ‘ = ‘
  • Dynamically-constructed query becomes:

SELECT * FROM users_table

WHERE username = ‘anyname‘

AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;

  • Where clause: F AND F OR T => F OR T => T !
  • All user rows returned to application
  • If application checking for 0 vs. more than 0 rows, attacker is in
  • Need to check application input – generally not good to allow special characters in through client-side parameters
secure application development11
Secure Application Development
  • Application Security in the Enterprise Environment
    • J2EE
    • .NET
    • Large number of interactions between application environment and database systems
  • Tactic: Use of Proxy Applications
    • Assume network filtering most problem traffic
    • Application can control fine-grain behavior, application protocol security
  • Security Patterns (from J2EE Design Patterns Applied)
    • Single-Access Point Pattern
      • single point of entry into system
    • Check Point Pattern
      • centralized enforcement of authorization when requesting resources
    • Role Pattern
      • disassociation of users and privileges for easier management
secure operating system
Secure Operating System
  • Interaction of DBMS and OS
    • Oracle on Windows
      • Secure administrative accounts
      • Control registry access
      • Need good account policies
      • Others…
    • Oracle on Linux/Unix
      • Choose different account names than standard suggestions
      • Restrict use of the account that owns Oracle software
      • Secure temporary directory
      • Some Oracle files are SUID (root)
      • Command line SQL*Plus with user/pass parameters appears under ps output
      • Others…
secure web server
Secure Web Server
  • Interaction of Oracle and Web Server
  • Apache now provided within Oracle as its application server, started by default
  • Apache issues
    • Standard configuration has some potential problems
      • See Oracle Security Handbook for more discussion
    • Ensure secure communication from web clients to web server
    • Use MaxClients to limit possible connections, avoid Denial of Service attacks
    • Others…
  • Internet Information Server (IIS) issues
    • Integration with other MS products (e.g. Exchange Server)
    • Known vulnerabilities
    • Others…
secure web server cont
Secure Web Server (cont.)
  • Web is often front-end / gateway to DBMS
  • DBMS/database should be black-box to user
  • Attacker can force errors trying to gain information
  • Which error message should be displayed when asking for an incorrectly named Java Server Page?

Sorry, that file

is not found

java.io.FileNotFoundException: /u01/prodcomm/portal/x.jsp

at java.io.FileInputStream.open(Native method)

at java.io.FileInputStream.(FileInputStream.java:64)

at oracle.jsp.provider.JspFilesystemResource(…)

at oracle.jsp.app.JspAppLoader.reloadPage(JSPAppLoader.java)

….

secure network
Secure Network
  • Interaction of DBMS and Network
    • DBMS server should be behind firewall
      • Good to separate DB and web servers (mitigate losses if hacked)
      • DB server should be behind firewall, web server usually in DMZ
      • Oracle: Connections normally initiated on port 1521, but port is then dynamically selected – management of port access is made more difficult
        • Anyone with Oracle client software who knows your host IP/name and database instance name can configure client to connect to your database instance
    • Oracle Advanced Security (OAS) product
      • Features for:
        • Authentication
        • Integrity
        • Encryption – use of SSL
    • Other Network Issues To Consider
      • Possibility of hijacking a privileged user connection
      • Various sniffing and spoofing issues
messages revisited
Messages Revisited
  • Database system security is more than securing the database
    • Secure database
    • Secure DBMS
    • Secure applications
    • Secure operating system
    • Secure web server
    • Secure network environment
  • General security principles apply in database system security
    • Security is a process, not a product
    • Security chain is only as strong as its weakest link
    • Best security defense utilizes multiple layers
references
References
  • “Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001.
  • “Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999.
  • “Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf
  • Again, slides and security links available at:

http://www.cs.uwec.edu/~wagnerpj/security/