1 / 17

Database Systems Security in an Enterprise Environment

Database Systems Security in an Enterprise Environment. Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003 http://www.cs.uwec.edu/~wagnerpj/security/. Database Systems Security – Background. Need

diandra
Download Presentation

Database Systems Security in an Enterprise Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Database Systems Security in an Enterprise Environment Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003 http://www.cs.uwec.edu/~wagnerpj/security/

  2. Database Systems Security – Background • Need • Security curriculum is relatively light in database systems area • Focus currently on protecting information through network configuration, systems administration, application security • Need to specifically consider database system security issues • What is most valuable – data, systems, or network? • Goals • Understand security issues in a general database system environment • Consider database security issues in context of general security principles and ideas • Focus on Oracle as a common DBMS, but realize there are similar issues for other DBMSs

  3. Main Message • Database system security is more than securing the database • Secure database • Secure DBMS • Secure applications • Secure operating system (in relation to database system) • Secure web server (in relation to database system) • Secure network environment (in relation to database system)

  4. Secure Database(s) • Traditional database security topics and issues • Users and Passwords • Default users/passwords • Oracle: sys, system accounts – privileged, with default passwords • Oracle: scott account – well-known account and password, part of public group • e.g. public can access all_users table • Need for general password policies (length, domain, changing, protection, …) • Need for general account policies (who gets, what level of privilege, when expires, …)

  5. Secure Database(s) – cont. • Privileges and Roles • Privileges • System – on actions (e.g. selecting, deleting, creating, …) • Object – on data objects (e.g. on particular table) • Roles • Collections of system privileges • Advantage: easier management • Disadvantage: tend to give more privilege than needed • Commonly heard Oracle user request: “Just give me DBA role to make it work and we’ll figure out the exact privilege I need later.” • Grant / Revoke • Giving (removing )privileges or roles to (from) users • Problem – often done haphazardly • Need for continual management of privileges and roles • Need for policies on privilege/role management

  6. Secure DBMS • Possible Holes in DBMS • Oracle: http://technet.oracle.com/deploy/security/alerts.htm (50+ listed) • Types of exploits • Buffer overflow problems in DBMS code • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) • Similar information available for DB2, SQL Server, PostgreSQL, MySQL, … • Oracle: UTL_FILE package in PL/SQL • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora • possible access through symbolic links

  7. Secure DBMS (cont.) • Need for continual patching of DBMS • Encourage awareness of DBMS vulnerability issues • Continuous vigilance is essential • Cost of not patching can be huge • SQL Slammer Worm • fast propagation – max scan rate of 55 million systems/second • affected approximately 80,000 systems, significant segments of Internet • 376 byte UDP packet that exploited a buffer overflow vulnerability • patch had long been available • significant effects on business database servers • Credit verification, Phone systems, Banks/ATMs

  8. Secure DBMS (cont.) • Use security features of DBMS • Oracle: Virtual Private Databases (VPDs) • Support for fine-grain data security (e.g. multiple clients can have data in same schema without knowing other data is there) • Oracle: Oracle Label Security • Use of VPDs to achieve row-level security, controlled from Policy Manager tool under Enterprise Manager • Implement auditing • Good policy: develop a comprehensive audit system for database activity tracking • DBMS tools, user-developed tools (e.g. using triggers) • Oracle: can write to OS as well as into database for additional security, accountability for all working with databases

  9. Secure Application Development • Access to database system is often through applications • Example: SQL Injection Attack through web front end • Scenario: Software system tracks own usernames and passwords in database • Client application accepts username and password, passes as parameters • An SQL query is built dynamically, combining SQL text pieces in the server application and the client-supplied parameters • DBMS executes query on system user table, checks for valid user/password combination in this table • DBMS returns 0, 1 or more user/password rows to application • Application checks result and allows or denies access accordingly

  10. SQL Injection • Application Java code contains SQL statement: • String query = "SELECT * FROM users_table " + " WHERE username = " + " ‘ " + username + " ‘ " + " AND password = " + " ‘ " + password + " ‘ " ; - SQL strings must be single quoted • Application is expecting one (valid) row to be returned if success, no rows if failure • Attacker enters arbitrary username: anyname, but special “password” of: Aa ‘ OR ‘ ‘ = ‘ • Dynamically-constructed query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; • Where clause: F AND F OR T => F OR T => T ! • All user rows returned to application • If application checking for 0 vs. more than 0 rows, attacker is in • Need to check application input – generally not good to allow special characters in through client-side parameters

  11. Secure Application Development • Application Security in the Enterprise Environment • J2EE • .NET • Large number of interactions between application environment and database systems • Tactic: Use of Proxy Applications • Assume network filtering most problem traffic • Application can control fine-grain behavior, application protocol security • Security Patterns (from J2EE Design Patterns Applied) • Single-Access Point Pattern • single point of entry into system • Check Point Pattern • centralized enforcement of authorization when requesting resources • Role Pattern • disassociation of users and privileges for easier management

  12. Secure Operating System • Interaction of DBMS and OS • Oracle on Windows • Secure administrative accounts • Control registry access • Need good account policies • Others… • Oracle on Linux/Unix • Choose different account names than standard suggestions • Restrict use of the account that owns Oracle software • Secure temporary directory • Some Oracle files are SUID (root) • Command line SQL*Plus with user/pass parameters appears under ps output • Others…

  13. Secure Web Server • Interaction of Oracle and Web Server • Apache now provided within Oracle as its application server, started by default • Apache issues • Standard configuration has some potential problems • See Oracle Security Handbook for more discussion • Ensure secure communication from web clients to web server • Use MaxClients to limit possible connections, avoid Denial of Service attacks • Others… • Internet Information Server (IIS) issues • Integration with other MS products (e.g. Exchange Server) • Known vulnerabilities • Others…

  14. Secure Web Server (cont.) • Web is often front-end / gateway to DBMS • DBMS/database should be black-box to user • Attacker can force errors trying to gain information • Which error message should be displayed when asking for an incorrectly named Java Server Page? Sorry, that file is not found java.io.FileNotFoundException: /u01/prodcomm/portal/x.jsp at java.io.FileInputStream.open(Native method) at java.io.FileInputStream.(FileInputStream.java:64) at oracle.jsp.provider.JspFilesystemResource(…) at oracle.jsp.app.JspAppLoader.reloadPage(JSPAppLoader.java) ….

  15. Secure Network • Interaction of DBMS and Network • DBMS server should be behind firewall • Good to separate DB and web servers (mitigate losses if hacked) • DB server should be behind firewall, web server usually in DMZ • Oracle: Connections normally initiated on port 1521, but port is then dynamically selected – management of port access is made more difficult • Anyone with Oracle client software who knows your host IP/name and database instance name can configure client to connect to your database instance • Oracle Advanced Security (OAS) product • Features for: • Authentication • Integrity • Encryption – use of SSL • Other Network Issues To Consider • Possibility of hijacking a privileged user connection • Various sniffing and spoofing issues

  16. Messages Revisited • Database system security is more than securing the database • Secure database • Secure DBMS • Secure applications • Secure operating system • Secure web server • Secure network environment • General security principles apply in database system security • Security is a process, not a product • Security chain is only as strong as its weakest link • Best security defense utilizes multiple layers

  17. References • “Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001. • “Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999. • “Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf • Again, slides and security links available at: http://www.cs.uwec.edu/~wagnerpj/security/

More Related