1 / 28

ASE101 Securing ASE 12.5

ASE101 Securing ASE 12.5. Cindy Bellefeuille Senior Database Administrator cbellefeuille@cox.net (210)287-2859 August 6, 2003. Overview. Why security Security goals Multi-layered approach Encryption 3 rd party security Industry’s best practices More Information. Why Security?.

frasier
Download Presentation

ASE101 Securing ASE 12.5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ASE101 Securing ASE 12.5 Cindy BellefeuilleSenior Database Administratorcbellefeuille@cox.net (210)287-2859August 6, 2003

  2. Overview • Why security • Security goals • Multi-layered approach • Encryption • 3rd party security • Industry’s best practices • More Information

  3. Why Security? The Rules • Privacy Legislation US HIPAA, GLBA, FDA’s ERES-21CFR11, California SB1386 EU Privacy Data Protection Acts/Safe Harbor Argentina, Australia, Canada, Hong Kong, Japan Privacy Acts • Industry Initiatives ISO 17799 Code of Practice for Security Management VISA U.S.A. Cardholder Information Security Program (CISP) • Audit Meet audit requirements for compliance to privacy standards

  4. Why Security? The Attacks • Malicious software Time Bomb Trojan Horse Virus Worm • Network based attacks Sniffing Man-in-the-Middle Replay Spoofing • Denial of Service

  5. Why Security? Cyber Crime Statistics 2002 CSI/FBI Computer Crime and Security Survey • 90% of respondents detected computer security problems over the past year. • 80% acknowledged financial losses due to computer security problems. • 44% were willing and/or able to quantify their financial losses reporting a total of $455,848,000 in financial losses. • 74% cited internet connections as the frequent point of attack compared to 33% citing their internal systems.

  6. Computer Security Goals • Confidentiality • Integrity • Availability • Authentication • Non-repudiation

  7. ASE Multi-Layered Data Access • Login to the database server • Access the database • Access the database object

  8. What else can we do? Encryption Multi-layered access

  9. What is Encryption? Encryption is… plain text  mathematical function + key  cipher text • Mathematical function is widely known • Key is only known to authorized users • Symmetric & asymmetric

  10. Symmetric-Key Encryption Private-key Encryption • Uses same key to encrypt and decrypt • Advantage - very fast • Disadvantage – key management Key distribution Key compromise

  11. Asymmetric-Key Encryption Public-Key Encryption • Public-key and private-key • Advantage – key management • Disadvantage – requires more computation & infrastructure

  12. Encryption in ASE 12.5 ASE 12.5 is compatible with industry standard security protocols… • Kerberos • Secure socket layer (SSL)

  13. What is Kerberos? • Authentication service developed by MIT • Uses private-key to encrypt and decrypt the data • Uses Needham-Schroeder key distribution Key Distribution Center

  14. Kerberos • Advantages Uses private-key encryption which is fast. • Disadvantages Depends on Key Distribution Center. If it is unavailable then unable to authenticate and connection is denied. The Key Distribution Center can be compromised.

  15. Using Kerberos with ASE 12.5 • Advanced Security Module Add-on license feature for ASE 12.0+ • Security Guardian ASE 11.9.2 • Configure ASE 12.5 Sybase System Administration Guide,Chapter 14 “Configuring Adaptive Server for security” http://download.sybase.com/pdfdocs/asg12503/sag1.pdf.

  16. What is SSL? Secure Socket Layer • Developed by Netscape to transmit documents privately over the internet. • Public-key encryption is used to exchange session-key. • A private-key to encrypt and decrypt the data.

  17. SSL • Advantages Secure, encrypted connections. Each transaction uses a different session-key so even if someone decrypts a session key it will not compromise past and future sessions. SSL resides below the application protocol layer in the OSI model so it is application independent. • Disadvantages More memory needed - 40K bytes for each SSL connection Performance degradation

  18. Using SSL with ASE 12.5 • Advanced Security Module Add-on license feature • Configure ASE 12.5 sp_configure sp_ssladmin – certificate administration Modify interfaces file • For more information “Internet Security in Sybase ASE 12.5” by Michael Mamet ISUG Technical Journal, 3rd Quarter 2001

  19. What else can we do? 3rd Party Security Encryption Multi-layered access

  20. 3rd Party Security When selecting 3rd party security, consider… • What cryptographic standard is used? • What type of key management is used? • Will the new product introduce any vulnerabilities to my system?

  21. 3rd Party Security Protegrity’s Secure.Data • Encrypts data in the database • Performance tested by Sybase • Encryption 56-bit DES and 168-bit Triple DES • Key management Diffie Hellman key exchange • Vulnerabilities 3/13/2003 Buffer overflow in Secure.Data versions 2.2.3.7 & 2.2.3.8 Patch Secure.Data 2.2.3.9

  22. What else can we do? Best Practices 3rd Party Security Encryption Multi-layered access

  23. Industry Best Practices Plan on a security incident… • Backup, backup, backup • Username/password challenge • No default/null passwords • Software updates • Audit

  24. Information • www.cert.org • www.auscert.org.au • www.ciac.org/ciac • www.cybersafe.com • www.nist.gov • www.nsa.gov • www.sans.org • www.securityfocus.com • www.sybase.com • www.protegrity.com • www.web.mit.edu/kerberos/www/

  25. Sybase DBCC CHECKVERIFY Buffer Overflow Vulnerability www.securityfocus.com/bid/6269/discussion/ • Discussion A buffer overflow vulnerability has been reported for the Sybase Adaptive Server. The vulnerability exists in the DBCC CHECKVERIFY function. The DBCC CHECKVERIFY function does not perform sufficient checks on the length of the string that is supplied as input when the function is called. This will trigger the buffer overflow condition if this input is overly long. An attacker may exploit this vulnerability to cause the database process to execute malicious attacker-supplied code.

  26. Sybase DBCC CHECKVERIFY Buffer Overflow Vulnerability • Solution The vendor has confirmed this issue and has released fixes which address this issue. Sybase Adaptive Server Enterprise 12.0 Win:Sybase Patch Adaptive Server 12.0.0.6http://downloads.sybase.com/swd/swx

  27. Conclusion No database can be completely secure… • Take advantage of… ASE multi-layered approach Encryption 3rd party security Industry’s best practices

  28. Conclusion • To … Conduct business in a more secure manner protecting against theft, loss and fraud. Ensure confidentiality, integrity and availability of yourdata. Preventyour company from being the next security incident headline. Microsoft admits critical flaw in nearly all Windows softwareBy Ted Bridis The Associated PressJul 16 2003 12:25PM Symantec 'security scan' distributes rootkitBy Thomas C. Greene The RegisterJul 16 2003 5:20AM

More Related