Database Security in an Enterprise Environment (PPT) - Computer ...
Upcoming SlideShare
Loading in...5

Database Security in an Enterprise Environment (PPT) - Computer ...






Total Views
Views on SlideShare
Embed Views



1 Embed 2 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Database Security in an Enterprise Environment (PPT) - Computer ... Database Security in an Enterprise Environment (PPT) - Computer ... Presentation Transcript

  • Database Systems Security in an Enterprise Environment Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003
  • Database Systems Security – Background
    • Need
      • Security curriculum is relatively light in database systems area
        • Focus currently on protecting information through network configuration, systems administration, application security
        • Need to specifically consider database system security issues
      • What is most valuable – data, systems, or network?
    • Goals
      • Understand security issues in a general database system environment
      • Consider database security issues in context of general security principles and ideas
      • Focus on Oracle as a common DBMS, but realize there are similar issues for other DBMSs
  • Main Message
    • Database system security is more than securing the database
      • Secure database
      • Secure DBMS
      • Secure applications
      • Secure operating system (in relation to database system)
      • Secure web server (in relation to database system)
      • Secure network environment (in relation to database system)
  • Secure Database(s)
    • Traditional database security topics and issues
      • Users and Passwords
        • Default users/passwords
          • Oracle: sys, system accounts – privileged, with default passwords
          • Oracle: scott account – well-known account and password, part of public group
            • e.g. public can access all_users table
        • Need for general password policies (length, domain, changing, protection, …)
        • Need for general account policies (who gets, what level of privilege, when expires, …)
  • Secure Database(s) – cont.
      • Privileges and Roles
        • Privileges
          • System – on actions (e.g. selecting, deleting, creating, …)
          • Object – on data objects (e.g. on particular table)
        • Roles
          • Collections of system privileges
          • Advantage: easier management
          • Disadvantage: tend to give more privilege than needed
            • Commonly heard Oracle user request: “Just give me DBA role to make it work and we’ll figure out the exact privilege I need later.”
        • Grant / Revoke
          • Giving (removing )privileges or roles to (from) users
          • Problem – often done haphazardly
        • Need for continual management of privileges and roles
        • Need for policies on privilege/role management
  • Secure DBMS
    • Possible Holes in DBMS
      • Oracle: http:// (50+ listed)
        • Types of exploits
          • Buffer overflow problems in DBMS code
          • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others)
      • Similar information available for DB2, SQL Server, PostgreSQL, MySQL, …
      • Oracle: UTL_FILE package in PL/SQL
        • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora
        • possible access through symbolic links
  • Secure DBMS (cont.)
    • Need for continual patching of DBMS
      • Encourage awareness of DBMS vulnerability issues
      • Continuous vigilance is essential
      • Cost of not patching can be huge
        • SQL Slammer Worm
          • fast propagation – max scan rate of 55 million systems/second
          • affected approximately 80,000 systems, significant segments of Internet
          • 376 byte UDP packet that exploited a buffer overflow vulnerability
          • patch had long been available
          • significant effects on business database servers
            • Credit verification, Phone systems, Banks/ATMs
  • Secure DBMS (cont.)
    • Use security features of DBMS
      • Oracle: Virtual Private Databases (VPDs)
        • Support for fine-grain data security (e.g. multiple clients can have data in same schema without knowing other data is there)
      • Oracle: Oracle Label Security
        • Use of VPDs to achieve row-level security, controlled from Policy Manager tool under Enterprise Manager
    • Implement auditing
      • Good policy: develop a comprehensive audit system for database activity tracking
        • DBMS tools, user-developed tools (e.g. using triggers)
        • Oracle: can write to OS as well as into database for additional security, accountability for all working with databases
  • Secure Application Development
    • Access to database system is often through applications
    • Example: SQL Injection Attack through web front end
      • Scenario: Software system tracks own usernames and passwords in database
      • Client application accepts username and password, passes as parameters
      • An SQL query is built dynamically, combining SQL text pieces in the server application and the client-supplied parameters
      • DBMS executes query on system user table, checks for valid user/password combination in this table
      • DBMS returns 0, 1 or more user/password rows to application
      • Application checks result and allows or denies access accordingly
  • SQL Injection
      • Application Java code contains SQL statement:
        • String query = "SELECT * FROM users_table " +
        • " WHERE username = " + " ‘ " + username + " ‘ " +
        • " AND password = " + " ‘ " + password + " ‘ " ;
        • - SQL strings must be single quoted
      • Application is expecting one (valid) row to be returned if success, no rows if failure
      • Attacker enters arbitrary username: anyname , but special “password” of: Aa ‘ OR ‘ ‘ = ‘
      • Dynamically-constructed query becomes:
      • SELECT * FROM users_table
      • WHERE username = ‘anyname‘
      • AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘;
      • Where clause: F AND F OR T => F OR T => T !
      • All user rows returned to application
      • If application checking for 0 vs. more than 0 rows, attacker is in
      • Need to check application input – generally not good to allow special characters in through client-side parameters
  • Secure Application Development
    • Application Security in the Enterprise Environment
      • J2EE
      • .NET
      • Large number of interactions between application environment and database systems
    • Tactic: Use of Proxy Applications
      • Assume network filtering most problem traffic
      • Application can control fine-grain behavior, application protocol security
    • Security Patterns (from J2EE Design Patterns Applied)
      • Single-Access Point Pattern
        • single point of entry into system
      • Check Point Pattern
        • centralized enforcement of authorization when requesting resources
      • Role Pattern
        • disassociation of users and privileges for easier management
  • Secure Operating System
    • Interaction of DBMS and OS
      • Oracle on Windows
        • Secure administrative accounts
        • Control registry access
        • Need good account policies
        • Others…
      • Oracle on Linux/Unix
        • Choose different account names than standard suggestions
        • Restrict use of the account that owns Oracle software
        • Secure temporary directory
        • Some Oracle files are SUID (root)
        • Command line SQL*Plus with user/pass parameters appears under ps output
        • Others…
  • Secure Web Server
    • Interaction of Oracle and Web Server
    • Apache now provided within Oracle as its application server, started by default
    • Apache issues
      • Standard configuration has some potential problems
        • See Oracle Security Handbook for more discussion
      • Ensure secure communication from web clients to web server
      • Use MaxClients to limit possible connections, avoid Denial of Service attacks
      • Others…
    • Internet Information Server (IIS) issues
      • Integration with other MS products (e.g. Exchange Server)
      • Known vulnerabilities
      • Others…
  • Secure Web Server (cont.)
    • Web is often front-end / gateway to DBMS
    • DBMS/database should be black-box to user
    • Attacker can force errors trying to gain information
    • Which error message should be displayed when asking for an incorrectly named Java Server Page?
    Sorry, that file is not found /u01/prodcomm/portal/x.jsp at method) at at oracle.jsp.provider.JspFilesystemResource(…) at … .
  • Secure Network
    • Interaction of DBMS and Network
      • DBMS server should be behind firewall
        • Good to separate DB and web servers (mitigate losses if hacked)
        • DB server should be behind firewall, web server usually in DMZ
        • Oracle: Connections normally initiated on port 1521, but port is then dynamically selected – management of port access is made more difficult
          • Anyone with Oracle client software who knows your host IP/name and database instance name can configure client to connect to your database instance
      • Oracle Advanced Security (OAS) product
        • Features for:
          • Authentication
          • Integrity
          • Encryption – use of SSL
      • Other Network Issues To Consider
        • Possibility of hijacking a privileged user connection
        • Various sniffing and spoofing issues
  • Messages Revisited
    • Database system security is more than securing the database
      • Secure database
      • Secure DBMS
      • Secure applications
      • Secure operating system
      • Secure web server
      • Secure network environment
    • General security principles apply in database system security
      • Security is a process, not a product
      • Security chain is only as strong as its weakest link
      • Best security defense utilizes multiple layers
  • References
    • “ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001.
    • “ Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999.
    • “ Investigation of Default Oracle Accounts”,
    • Again, slides and security links available at: