securing your database servers from external attacks
play

Securing your database servers from external attacks Alkin Tezuysal - PowerPoint PPT Presentation

Oct 13, 2023 •112 likes •429 views

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona) Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) Technical

  1. Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona)

  2. Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) ● ● Technical Security Evangelist Open Source Database Evangelist ● ● Open Source Evangelist Global Database Operations Expert ● ● Certified Information Systems Security Professional Cloud Infrastructure Architect AWS ● ● Assistant Scout Leader Inspiring Technical and Strategic Leader ● ● Assistant Instructor computing for children Creative Team Builder ● ● Ju-Jitsu nidan and ex-Instructor Speaker, Mentor, and Coach ● Outdoor Enthusiast 2

  3. Agenda Security Common Sense ● MySQL Security ● MySQL Passwords ○ MySQL Communication ○ MySQL Encryption ○ Security Best Practices ● MySQL Security in Cloud Operators (AWS) ● Q & A ● 3

  4. Database Security Best Practices Apply Common Sense here

  5. Security Do’s Restrict access to database hosts ● Not just to the Database service ○ Create individual users, use roles MySQL 8.0 ● Set a password for all users ● Remove anonymous and obsolete users ● Use up-to-date software ● Review, update, modify security policies as needed ● Always remember to secure internal before blocking ● external vulnerabilities 5

  6. Password Attacks Weak passwords? ● Reusing old passwords? ● Leverage password validation plugin! ● Old version of MySQL those not password feature ● rich? MySQL unsha1 attack ● MySQL hash cracking OSS (john, hashcat, etc...) ● 6

  7. Network Operations All connections must use SSL (or other encryption) ● Performance impact is minimal versus risks ○ Mysql ~>= 5.7 has SSL connection by default ● Ensure >= 5.7.13 ○ Network encrypted tunnel options ● N2N, openvpn (TLS), ssh tunnel, IPSEC, ○ Links: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/ https://www.percona.com/blog/2017/09/19/proxysql-improves-mysql-sslconnections/ http://databaseblog.myname.nl/2017/05/mysql-and-ssltls-performance.html https://github.com/ntop/n2n 7

  8. MySQL Data Encryption Disk Volume encryption ● BitLocker, FileVault2, LUKS, eCryptFS, Veracrypt, ○ EBS encrypted volumes (please use KMS for encryption keys!) At-rest encryption for InnoDB tablespace ● At-rest encryption for binary logs ● Links: https://dev.mysql.com/doc/refman/5.7/en/faqs-tablespace-encryption.html https://docs.oracle.com/cd/E17952_01/mysql-5.7-en/innodb-tablespace-encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html 8

  9. Connection Overhead https://tinyurl.com/ycldtnpk https://tinyurl.com/y7v7jhmo 9

  10. Security Features by MySQL MySQL variants

  11. MySQL Variants MySQL Community Edition 5.5 -> 8.0 ● MySQL Enterprise Edition ● Percona Server 5.5 -> 5.7 -> 8.0 ● MariaDB 5.5, 10.X ● Galera, Group Replication/InnoDB Cluster ● X Protocol/mysqlsh (33060) -> 8.0 ● Links: https://dev.mysql.com/doc/internals/en/x-protocol.html https://dev.mysql.com/doc/internals/en/x-protocol-authentication-authentication.html 11

  12. MySQL Security by Version ● GRANT (3.23) ● ALTER USER (5.6) ● REVOKE (3.23) ● SHOW CREATE USER (5.7) ● SET PASSWORD (3.23) ● CREATE ROLE (8.0) ● SHOW GRANTS (3.23) ● DROP ROLE (8.0) ● DROP USER (4.1) ● SET ROLE (8.0) ● SHOW PRIVILEGES (4.1) ● SET DEFAULT ROLE (8.0) ● CREATE USER (5.0) ● RENAME USER (5.0) 12

  13. Important mysql.user table < 5.5 host user password > 5.5 authentication_string > 5.6 password_expired > 5.7 account_locked password (removed) > 8.0 create_role_priv drop_role_priv 13

  14. Security Features by MySQL Version ● 5.1 - McAfee Audit plugin ● 5.7 - grep for root password on installation, ● 5.5 - pluggable authentication (MariaDB 5.2 password expiry every ‘n’ days, user accounts backport), proxy users, changes in mysql.user can be locked/unlocked, mysql_ssl_rsa_setup, table, client password warning; Enterprise mysql.user.password removed, provided Audit and PAM authentication (present super_read_only, at rest tablespace encryption again in Percona Server for MySQL and ● 8.0 - roles + mysql.user changes MariaDB Server) ● Percona Server ● 5.6 - encrypted client credentials ○ MySQL 5.5 - extended SHOW GRANTS, (mysql_config_editor), sha256_password, utility user, userstats , Audit Plugin password expiry, ○ MySQL 5.6 - super_read_only VALIDATE_PASSWORD_STRENGTH(), --random-passwords (optional random on ○ MySQL 5.7 - Vault plugin install), mysql.user password_expired column; Enterprise Firewall 14

  15. Harden your MySQL Security ● Set a password for ‘root’ ● Remove all anonymous users ● Remove ‘test’ database (gone on 8.0) ● Use mysql_secure_installation where possible (5.7) ● Install (and use!) validate_password plugin (>= 5.6) ○ There are methods which circumvent this however ... ... IDENTIFIED BY ‘*ABC...’ (passing the hash, allows using a weak password) ■ ● Ensure Path of Least Privilege ○ Stop using GRANT ALL on *.*... ○ ALL includes: FILE, CREATE_ROUTINE, SUPER, ○ Allowing write on mysql.users can allow injection of credentials that will be loaded at a later time! 15

  16. MySQL Security in the Cloud AWS Focused

  17. Pillars of AWS Security Data Protection Privilege Management Security Infrastructure Detective Controls Management 17

  18. AWS Security Best Practices ● Know shared responsibility model ● Manage AWS Accounts, IAM / MFA Users, Groups, and Roles ● EC2 Topology management ○ VPC ● RDS MySQL ○ RDS ○ AURORA ● AWS Tools ○ CloudTrail ○ CloudWatch ○ Config 18

  19. AWS Security Best Practices ● RDS ○ Shared responsibility for container service ● EC2 ○ Amazon Machine Images (AMIs) ○ Operating systems • Applications ○ Data in transit ○ Data at rest ○ Data stores ○ Credentials - Key pairs ○ Policies and configuration 19

  20. AWS Shared Responsibility Model 20

  21. AWS IAM is your friend ● Centrally manage users ● Manage security credentials ○ passwords, access keys, and permissions policies ● Beware of regions, availability zones, endpoints ● AWS API keys require strict protection ○ E.g. code pushed to Github, Bitbucket etc with keys 21

  22. In addition to IAM ● AWS Key Management Service ● AWS CloudTrail ○ Audit logging, invaluable to know what occurred and when ● AWS Maice - Data Classification Service ● AWS Trusted Advisor ○ Automated tool to get reports on security groups etc (if you spend enough) https://aws.amazon.com/premiumsupport/ta-faqs/ 22

  23. Pre-configure and harden EC2 AMI ● Disable root API access keys and secret key ● Require MFA for all IAM accounts ● Restrict access to instances from limited IP ranges using Security Groups ● Password protect the .pem file on user machines ● Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access ● Rotate credentials (DB, Access Keys) ● Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys ● Use bastion hosts to enforce control and visibility 23

  24. Utilizing AWS VPC 24

  25. MySQL Data in Transit ● Web Layer ○ Encrypt data in transit using IPSec ESP and/or SSL/TLS ○ Authenticate data integrity using IPSec ESP/AH, and/or SSL/TLS ○ Use IPSec with IKE with pre-shared keys ● Database Layer ○ SSL/TLS is currently supported for connections to Amazon RDS MySQL ○ AWS provides a single self-signed certificate associated with the MySQL 25

  26. AWS Trusted Advisory Tool Checks ● Limited access to common administrative ports to only a small subset of addresses. This includes ports 22 (SSH), 23 (Telnet) 3389 (RDP), and 5500 (VNC). ● Limited access to common database ports. This includes ports 1433 (MSSQL Server), 1434 (MSSQL Monitor), 3306 (MySQL) , Oracle (1521) and 5432 (PostgreSQL). ● IAM is configured to help ensure secure access control of AWS resources. ● Multi-factor authentication (MFA) token is enabled to provide two-factor authentication for the root AWS account. 26

  27. References and Credits References: Credits: ● Colin Charles ● AWS Security Best Practices ● Janos Ruzso ● AIM Best Practices ● Tibor Korocz ● Amazon Virtual Private Cloud ● Jervin Real Connectivity Options ● Daniel van Eeden ● VPC Networking Components ● SSL Connections in MySQL 5.7 ● ProxySQL Improves MySQL SSL Connections ● Everything about MySQL Users and Logins You Didn’t Know and Were Afraid to Ask 27

  28. Questions and Answer

  29. Thank You Sponsors!! 29

  30. Rate My Session 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich

Securing PostgreSQL From External Attack B RUCE M OMJIAN January, 2012 Database systems are rich with attack vectors to exploit. This presentation explores the many potential PostgreSQL external vulnerabilities and shows how they can be

318 views • 29 slides
NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk

NEBC Database Course 2008 Database Servers Database Interfaces Tim Booth : tbooth@ceh.ac.uk What is an RDBMS? A PostgreSQL database is not just kept in a big file, like a spreadsheet. A program called the database server, or RDBMS,

323 views • 14 slides
Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the outside To protect Linux VMs from outside attacks (from processes running on the host). Injecting code into the boot chain. Stealing data from

559 views • 18 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR

DATABASE SYSTEMS Database programming in a web environment Database System Course AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a need-to-know basis.

688 views • 54 slides
CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of

CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of

CSE 132C Database System Implementation Arun Kumar Topic 3: External Sorting Chapter 13 of Cow Book Slide ACKs: Jignesh Patel, Paris Koutris 1 External Sorting: Outline Overview and Warm-up Multi-way External Merge Sort (EMS)

332 views • 20 slides
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017

DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming architecture HTTP on a

845 views • 53 slides
Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external

Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external

Database Systems External Sort Based on slides by Feifei Li, University of Utah Whats external sorting? n Problem: sort 1TB of data with 1GB of RAM. why not virtual memory? Swap involves expensive IOs 2 Using secondary storage

646 views • 30 slides
Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector

Preventing brute force attacks against stack canary protector on networking servers Hector Marco Preventing brute force attacks against stack canary protector on networking servers Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit`

721 views • 44 slides
Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N.

Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N.

Database servers on chip multiprocessors: limitations and opportunities N. Hardavellas N. Mancheril I. Pandis A. Ailamaki R. Johnson B. Falsafi Benjamin Reilly September 27, 2011 Tuesday, 27 September, 11 The fattened cache (and CPU)

970 views • 19 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu

Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu

Database-Powered Web Servers Alexandros Labrinidis Univ. of Pittsburgh labrinid@cs.pitt.edu Examples of db-powered web sites Google.com (search engine) Amazon.com (shopping) eBay.com (auctions) WellsFargo.com (online banking)

1.03k views • 21 slides
Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine &amp; Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

777 views • 29 slides
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs , Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson pag225@cornell.edu, @pag_crypto Outsourced Databases Database Encrypting Outsourced

705 views • 23 slides
Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471. Cloud data

1.15k views • 75 slides
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

604 views • 56 slides
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

750 views • 33 slides
CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7 The Web Application Hackers Handbook, 2/e WWW Evolution Past vs. Future In the past web was made of static pages Today, highly

1.09k views • 63 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

Professor Ken Birman LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Firewalls Memory Protection Type Checking as a Protection Tool VMs and Containers Intel SGX Security CORNELL CS4414 -

595 views • 43 slides
It was requested by people from all over the world and shared its knowledge. Bu But t th the

It was requested by people from all over the world and shared its knowledge. Bu But t th the

HE DATA KRAKEN is an ancient oracle of wisdom and knowledge. It was requested by people from all over the world and shared its knowledge. Bu But t th the e or orac acle le became hungry for information

997 views • 42 slides
ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F

ROUND COMPLEXITY LOWER BOUND OF ISC PROTOCOL IN THE PARALLELIZABLE MODEL Huijing Gong CMSC 858F Overview Background Byzantine Generals Problem Network Model w/o Pre-existing Setup ISC Protocol in Parallelizable Model ISC,

841 views • 17 slides

More recommend