Securing PostgreSQL From External Attack B RUCE M OMJIAN January, - - PowerPoint PPT Presentation

securing postgresql from external attack
SMART_READER_LITE
LIVE PREVIEW

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, - - PowerPoint PPT Presentation

Jan 29, 2024 28 likes •318 views

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

slide-1
SLIDE 1

Securing PostgreSQL From External Attack

BRUCE MOMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be secured.

Creative Commons Attribution License http://momjian.us/presentations

Securing PostgreSQL, From External Attack 1 / 29

slide-2
SLIDE 2

Attack V ectors

Securing PostgreSQL, From External Attack 2 / 29

slide-3
SLIDE 3

External Attack V ectors

◮ ’Trust’ security ◮ Passwords / authentication theft ◮ Network snooping ◮ Network pass-through spoofing ◮ Server / backup theft ◮ Administrator access

Securing PostgreSQL, From External Attack 3 / 29

slide-4
SLIDE 4

Internal Attack V ectors (Not Covered)

◮ Database object permissions ◮ SQL injection attacks ◮ Application vulnerability ◮ Operating system compromise

Securing PostgreSQL, From External Attack 4 / 29

slide-5
SLIDE 5

Authentication Security

http://www.my-time-machines.net/mosler_34.htm

Securing PostgreSQL, From External Attack 5 / 29

slide-6
SLIDE 6

Avoid ’Trust’ Security

# TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 trust

Solution: Use the initdb -A flag, i.e., you don’t want to see this:

WARNING: enabling "trust" authentication for local connections Y

  • u can change this by editing pg_hba.conf or using the -A option the

next time you run initdb.

Securing PostgreSQL, From External Attack 6 / 29

slide-7
SLIDE 7

Password Snooping

Vulnerable to snooping Client PostgreSQL Database Server md5(password+username) md5(password+username) md5(password+username) md5(password+username) Using ’username’ in the MD5 string prevents the same password used by different users from appearing the same. It also adds some randomness to the md5 checksums. Connection Request Need Password Password Sent Database

Securing PostgreSQL, From External Attack 7 / 29

slide-8
SLIDE 8

MD5 Authentication Prevents Password Snooping

Database PostgreSQL Database Server md5(password+username) md5(password+username) md5(password+username) md5(password+username) connection request need password, sent random salt md5(md5(password+username) + salt) Client

Securing PostgreSQL, From External Attack 8 / 29

slide-9
SLIDE 9

MD5 Authentication Prevents Password Replay

X OK Malicious PostgreSQL Database Server md5(password+username) md5(password+username) md5(password+username) md5(password+username) connection request need password, sent random salt0 md5(md5(password+username) + salt0) connection request need password, sent random salt1 md5(md5(password+username) + salt0) replay Client Database Client Database

salt is a random four-byte integer so millions of connection attempts might allow the reuse of an old authentication reply.

Securing PostgreSQL, From External Attack 9 / 29

slide-10
SLIDE 10

Password Attacks

◮ Weak passwords ◮ Reuse of old passwords ◮ Brute-Force password attacks

None of these vulnerabilities is prevented by Postgres directly, but external authentication methods, like LDAP, PAM, and SSPI, can prevent them.

Securing PostgreSQL, From External Attack 10 / 29

slide-11
SLIDE 11

Queries and Data Still Vulnerable to Network Snooping

Queries and data vulnerable to snooping Client PostgreSQL Database Server Barr Bearings | $10230 | James Akel SELECT * FROM customers; Database

Password changes are also vulnerable to snooping.

Securing PostgreSQL, From External Attack 11 / 29

slide-12
SLIDE 12

SSL Prevents Snooping By Encrypting Queries and Data

Queries and data encrypted by SSL Client Database PostgreSQL Database Server AES256(Barr Bearings | $10230 | James Akel) AES256(SELECT * FROM customers);

Securing PostgreSQL, From External Attack 12 / 29

slide-13
SLIDE 13

Preventing Spoofing

http://redwing.hutman.net/~mreed/warriorshtm/impostor.htm

Securing PostgreSQL, From External Attack 13 / 29

slide-14
SLIDE 14

Localhost Spoofing While the Database Server Is Down

X Client Database Fake PostgreSQL Database Server Connection Request Password Sent use with the real server Records passwords for later Need Plain Password Uses a fake socket or binds to and 5432 is not a root-only port.) port 5432 while the real server is down. (/tmp is world-writable

The server controls the choice of ’password’ instead of ’md5’.

Securing PostgreSQL, From External Attack 14 / 29

slide-15
SLIDE 15

Network Spoofing

X Client Database Fake PostgreSQL Database Server Connection Request Password Sent use with the real server Records passwords for later Need Plain Password Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server.

Securing PostgreSQL, From External Attack 15 / 29

slide-16
SLIDE 16

Network Spoofing Pass-Through

OK Client Database Database Server PostgreSQL Fake PostgreSQL Database Server Records passwords for later use with the real server. It can also capture queries, queries. data, and inject its own Password Sent Connection Request Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Need Plain Password Query Result Query Result

Securing PostgreSQL, From External Attack 16 / 29

slide-17
SLIDE 17

SSL ’Prefer’ Is Not Secure

OK Client Database Database Server PostgreSQL Fake PostgreSQL Database Server Records passwords for later use with the real server. It can also capture queries, queries. data, and inject its own Non−SSL Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Query Result Query Result Prefer SSL No SSL SSL or Non−SSL

Securing PostgreSQL, From External Attack 17 / 29

slide-18
SLIDE 18

SSL ’Require’ Is Not Secure From Spoofing

OK Client Database Database Server PostgreSQL Fake PostgreSQL Database Server Records passwords for later use with the real server. It can also capture queries, queries. data, and inject its own Without SSL ’root’ certificates there is no way to know if the server you are connecting to is a legitimate server. Query Result Query Result SSL or Non−SSL OK SSL SSL Require SSL

Securing PostgreSQL, From External Attack 18 / 29

slide-19
SLIDE 19

SSL ’V erify-CA’ Is Secure From Spoofing

server.crt

X

root.crt

Database Fake PostgreSQL Database Server PostgreSQL SSL verify-ca Invalid certificate Server (no CA signature) Client Database

Securing PostgreSQL, From External Attack 19 / 29

slide-20
SLIDE 20

SSL ’V erify-full’ Is Secure Even From Some Certificate Thefts

  • X

root.crt server.crt server.crt

Client Database Invalid certificate (hostname mismatch) Fake PostgreSQL Database Server Database Server PostgreSQL Certificate stolen from a CA−trusted computer, server. but not the database SSL verify−full

Securing PostgreSQL, From External Attack 20 / 29

slide-21
SLIDE 21

Data Encryption T

  • Avoid Data Theft

http://jproc.ca/crypto/enigma.html

Securing PostgreSQL, From External Attack 21 / 29

slide-22
SLIDE 22

Disk Volume Encryption

http://www.pclaunches.com/

Securing PostgreSQL, From External Attack 22 / 29

slide-23
SLIDE 23

Column Encryption

id | name | credit_card_number

  • -------+--------------------+------------------------------

428914 | Piller Plaster Co. | \xc30d04070302254dc045353f28 ; 456cd241013e2d421e198f3320e8 ; 41a7e4f751ebd9e2938cb6932390 ; 5c339c02b5a8580663d6249eb24f ; 192e226c1647dc02536eb6a79a65 ; 3f3ed455ffc5726ca2b67430d5

Encryption methods are decryptable (e.g. AES), while hashes are

  • ne-way (e.g. MD5). A one-way hash is best for data like

passwords that only need to be checked for a match, rather than decrypted.

Securing PostgreSQL, From External Attack 23 / 29

slide-24
SLIDE 24

Where to Store the Key? On the Server

Decrypted data key Client Database PostgreSQL Database Server Barr Bearings | $10230 | James Akel SELECT * FROM customers;

Securing PostgreSQL, From External Attack 24 / 29

slide-25
SLIDE 25

Store the Key on an Intermediate Server

key Decrypted Encrypted SELECT SELECT Client Database Cryptographic Server PostgreSQL Database Server Barr Bearings V#ja20a

Securing PostgreSQL, From External Attack 25 / 29

slide-26
SLIDE 26

Store the Key on the Client and Encrypt/Decrypt on the Server

key Decrypted data Client Database PostgreSQL Database Server Barr Bearings | $10230 | James Akel SELECT decrypt(col, key) FROM customers;

Securing PostgreSQL, From External Attack 26 / 29

slide-27
SLIDE 27

Encrypt/Decrypt on the Client

key Encrypted data Client Database PostgreSQL Database Server V#aei32ok3 SELECT * FROM customers;

This prevents server administrators from viewing sensitive data.

Securing PostgreSQL, From External Attack 27 / 29

slide-28
SLIDE 28

Store the Key on a Client Hardware T

  • ken

key Encrypted data Client Database PostgreSQL Database Server V#aei32ok3 SELECT * FROM customers;

This prevents problems caused by client hardware theft.

Securing PostgreSQL, From External Attack 28 / 29

slide-29
SLIDE 29

Conclusion

http://momjian.us/presentations

Todd Ehlers, Flickr Securing PostgreSQL, From External Attack 29 / 29