Securing your database servers from external attacks Alkin Tezuysal - - PowerPoint PPT Presentation

securing your database servers from external attacks
SMART_READER_LITE
LIVE PREVIEW

Securing your database servers from external attacks Alkin Tezuysal - - PowerPoint PPT Presentation

Oct 13, 2023 112 likes •430 views

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona) Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) Technical

slide-1
SLIDE 1

Securing your database servers from external attacks

Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)

slide-2
SLIDE 2

2

Who we are?

David Busby (@icleus)

  • Technical Security Evangelist
  • Open Source Evangelist
  • Certified Information Systems Security Professional
  • Assistant Scout Leader
  • Assistant Instructor computing for children
  • Ju-Jitsu nidan and ex-Instructor

Alkin Tezuysal (@ask_dba)

  • Open Source Database Evangelist
  • Global Database Operations Expert
  • Cloud Infrastructure Architect AWS
  • Inspiring Technical and Strategic Leader
  • Creative Team Builder
  • Speaker, Mentor, and Coach
  • Outdoor Enthusiast
slide-3
SLIDE 3

3

Agenda

  • Security Common Sense
  • MySQL Security

○ MySQL Passwords ○ MySQL Communication ○ MySQL Encryption

  • Security Best Practices
  • MySQL Security in Cloud Operators (AWS)
  • Q & A
slide-4
SLIDE 4

Database Security Best Practices

Apply Common Sense here

slide-5
SLIDE 5

5

Security Do’s

  • Restrict access to database hosts

○ Not just to the Database service

  • Create individual users, use roles MySQL 8.0
  • Set a password for all users
  • Remove anonymous and obsolete users
  • Use up-to-date software
  • Review, update, modify security policies as needed
  • Always remember to secure internal before blocking

external vulnerabilities

slide-6
SLIDE 6

6

Password Attacks

  • Weak passwords?
  • Reusing old passwords?
  • Leverage password validation plugin!
  • Old version of MySQL those not password feature

rich?

  • MySQL unsha1 attack
  • MySQL hash cracking OSS (john, hashcat, etc...)
slide-7
SLIDE 7

7

Network Operations

  • All connections must use SSL (or other encryption)

○ Performance impact is minimal versus risks

  • Mysql ~>= 5.7 has SSL connection by default

○ Ensure >= 5.7.13

  • Network encrypted tunnel options

○ N2N, openvpn (TLS), ssh tunnel, IPSEC, Links:

https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n

slide-8
SLIDE 8

8

MySQL Data Encryption

  • Disk Volume encryption

○ BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, EBS encrypted volumes (please use KMS for encryption keys!)

  • At-rest encryption for InnoDB tablespace
  • At-rest encryption for binary logs

Links:

https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html

slide-9
SLIDE 9

9

Connection Overhead

https://tinyurl.com/ycldtnpk https://tinyurl.com/y7v7jhmo

slide-10
SLIDE 10

Security Features by MySQL

MySQL variants

slide-11
SLIDE 11

11

MySQL Variants

  • MySQL Community Edition 5.5 -> 8.0
  • MySQL Enterprise Edition
  • Percona Server 5.5 -> 5.7 -> 8.0
  • MariaDB 5.5, 10.X
  • Galera, Group Replication/InnoDB Cluster
  • X Protocol/mysqlsh (33060) -> 8.0

Links:

https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html

slide-12
SLIDE 12

12

MySQL Security by Version

  • GRANT (3.23)
  • REVOKE (3.23)
  • SET PASSWORD (3.23)
  • SHOW GRANTS (3.23)
  • DROP USER (4.1)
  • SHOW PRIVILEGES (4.1)
  • CREATE USER (5.0)
  • RENAME USER (5.0)
  • ALTER USER (5.6)
  • SHOW CREATE USER (5.7)
  • CREATE ROLE (8.0)
  • DROP ROLE (8.0)
  • SET ROLE (8.0)
  • SET DEFAULT ROLE (8.0)
slide-13
SLIDE 13

13

Important mysql.user table

< 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv

slide-14
SLIDE 14

14

Security Features by MySQL Version

  • 5.1 - McAfee Audit plugin
  • 5.5 - pluggable authentication (MariaDB 5.2

backport), proxy users, changes in mysql.user table, client password warning; Enterprise provided Audit and PAM authentication (present again in Percona Server for MySQL and MariaDB Server)

  • 5.6 - encrypted client credentials

(mysql_config_editor), sha256_password, password expiry, VALIDATE_PASSWORD_STRENGTH(),

  • -random-passwords (optional random on

install), mysql.user password_expired column; Enterprise Firewall

  • 5.7 - grep for root password on installation,

password expiry every ‘n’ days, user accounts can be locked/unlocked, mysql_ssl_rsa_setup, mysql.user.password removed, super_read_only, at rest tablespace encryption

  • 8.0 - roles + mysql.user changes
  • Percona Server

MySQL 5.5 - extended SHOW GRANTS, utility user, userstats , Audit Plugin

MySQL 5.6 - super_read_only

MySQL 5.7 - Vault plugin

slide-15
SLIDE 15

15

Harden your MySQL Security

  • Set a password for ‘root’
  • Remove all anonymous users
  • Remove ‘test’ database (gone on 8.0)
  • Use mysql_secure_installation where possible (5.7)
  • Install (and use!) validate_password plugin (>= 5.6)

○ There are methods which circumvent this however ...

■ ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password)

  • Ensure Path of Least Privilege

○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time!

slide-16
SLIDE 16

MySQL Security in the Cloud

AWS Focused

slide-17
SLIDE 17

17

Pillars of AWS Security

Data Protection Privilege Management Infrastructure Management Detective Controls

Security

slide-18
SLIDE 18

18

AWS Security Best Practices

  • Know shared responsibility model
  • Manage AWS Accounts, IAM / MFA Users, Groups, and Roles
  • EC2 Topology management

○ VPC

  • RDS MySQL

○ RDS ○ AURORA

  • AWS Tools

○ CloudTrail ○ CloudWatch ○ Config

slide-19
SLIDE 19

19

AWS Security Best Practices

  • RDS

○ Shared responsibility for container service

  • EC2

○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration

slide-20
SLIDE 20

20

AWS Shared Responsibility Model

slide-21
SLIDE 21

21

AWS IAM is your friend

  • Centrally manage users
  • Manage security credentials

○ passwords, access keys, and permissions policies

  • Beware of regions, availability zones, endpoints
  • AWS API keys require strict protection

○ E.g. code pushed to Github, Bitbucket etc with keys

slide-22
SLIDE 22

22

In addition to IAM

  • AWS Key Management Service
  • AWS CloudTrail

○ Audit logging, invaluable to know what occurred and when

  • AWS Maice - Data Classification Service
  • AWS Trusted Advisor

○ Automated tool to get reports on security groups etc (if you spend enough)

https://aws.amazon.com/premiumsupport/ta-faqs/

slide-23
SLIDE 23

23

Pre-configure and harden EC2 AMI

  • Disable root API access keys and secret key
  • Require MFA for all IAM accounts
  • Restrict access to instances from limited IP ranges using Security

Groups

  • Password protect the .pem file on user machines
  • Delete keys from the authorized_keys file on your instances when

someone leaves your organization or no longer requires access

  • Rotate credentials (DB, Access Keys)
  • Regularly run least privilege checks using IAM user Access Advisor and

IAM user Last Used Access Keys

  • Use bastion hosts to enforce control and visibility
slide-24
SLIDE 24

24

Utilizing AWS VPC

slide-25
SLIDE 25

25

MySQL Data in Transit

  • Web Layer

○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys

  • Database Layer

○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL

slide-26
SLIDE 26

26

AWS Trusted Advisory Tool Checks

  • Limited access to common administrative ports to only a small subset of
  • addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and

5500 (VNC).

  • Limited access to common database ports. This includes ports 1433

(MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL), Oracle (1521) and 5432 (PostgreSQL).

  • IAM is configured to help ensure secure access control of AWS

resources.

  • Multi-factor authentication (MFA) token is enabled to provide two-factor

authentication for the root AWS account.

slide-27
SLIDE 27

27

References and Credits

References:

  • AWS Security Best Practices
  • AIM Best Practices
  • Amazon Virtual Private Cloud

Connectivity Options

  • VPC Networking Components
  • SSL Connections in MySQL 5.7
  • ProxySQL Improves MySQL

SSL Connections

  • Everything about MySQL Users

and Logins You Didn’t Know and Were Afraid to Ask Credits:

  • Colin Charles
  • Janos Ruzso
  • Tibor Korocz
  • Jervin Real
  • Daniel van Eeden
slide-28
SLIDE 28

Questions and Answer

slide-29
SLIDE 29

29

Thank You Sponsors!!

slide-30
SLIDE 30

30

Rate My Session