Database Systems Security  in an Enterprise Environment Paul J. Wagner  University of Wisconsin – Eau Claire St. Cloud Sec...
Database Systems Security –  Background <ul><li>Need </li></ul><ul><ul><li>Security curriculum is relatively light in data...
Main Message <ul><li>Database system security is more than securing the database </li></ul><ul><ul><li>Secure database </l...
Secure Database(s) <ul><li>Traditional database security topics and issues </li></ul><ul><ul><li>Users and Passwords </li>...
Secure Database(s) – cont. <ul><ul><li>Privileges and Roles </li></ul></ul><ul><ul><ul><li>Privileges </li></ul></ul></ul>...
Secure DBMS <ul><li>Possible Holes in DBMS </li></ul><ul><ul><li>Oracle:  http:// technet.oracle.com/deploy/security/alert...
Secure DBMS (cont.) <ul><li>Need for continual patching of DBMS </li></ul><ul><ul><li>Encourage awareness of DBMS vulnerab...
Secure DBMS (cont.) <ul><li>Use security features of DBMS </li></ul><ul><ul><li>Oracle: Virtual Private Databases (VPDs) <...
Secure Application Development <ul><li>Access to database system is often through applications </li></ul><ul><li>Example: ...
SQL Injection <ul><ul><li>Application Java code contains SQL statement: </li></ul></ul><ul><ul><ul><li>String query =  &qu...
Secure Application Development <ul><li>Application Security in the Enterprise Environment </li></ul><ul><ul><li>J2EE </li>...
Secure Operating System <ul><li>Interaction of DBMS and OS </li></ul><ul><ul><li>Oracle on Windows </li></ul></ul><ul><ul>...
Secure Web Server <ul><li>Interaction of Oracle and Web Server </li></ul><ul><li>Apache now provided within Oracle as its ...
Secure Web Server (cont.) <ul><li>Web is often front-end / gateway to DBMS </li></ul><ul><li>DBMS/database should be black...
Secure Network <ul><li>Interaction of DBMS and Network </li></ul><ul><ul><li>DBMS server should be behind firewall </li></...
Messages Revisited <ul><li>Database system security is more than securing the database </li></ul><ul><ul><li>Secure databa...
References <ul><li>“ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001. </li></ul><ul><li>“ Or...
Upcoming SlideShare
Loading in …5
×

Database Security in an Enterprise Environment (PPT) - Computer ...

2,200 views
2,056 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,200
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
92
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Database Security in an Enterprise Environment (PPT) - Computer ...

  1. 1. Database Systems Security in an Enterprise Environment Paul J. Wagner University of Wisconsin – Eau Claire St. Cloud Security Workshop, May 2003 http://www.cs.uwec.edu/~wagnerpj/security/
  2. 2. Database Systems Security – Background <ul><li>Need </li></ul><ul><ul><li>Security curriculum is relatively light in database systems area </li></ul></ul><ul><ul><ul><li>Focus currently on protecting information through network configuration, systems administration, application security </li></ul></ul></ul><ul><ul><ul><li>Need to specifically consider database system security issues </li></ul></ul></ul><ul><ul><li>What is most valuable – data, systems, or network? </li></ul></ul><ul><li>Goals </li></ul><ul><ul><li>Understand security issues in a general database system environment </li></ul></ul><ul><ul><li>Consider database security issues in context of general security principles and ideas </li></ul></ul><ul><ul><li>Focus on Oracle as a common DBMS, but realize there are similar issues for other DBMSs </li></ul></ul>
  3. 3. Main Message <ul><li>Database system security is more than securing the database </li></ul><ul><ul><li>Secure database </li></ul></ul><ul><ul><li>Secure DBMS </li></ul></ul><ul><ul><li>Secure applications </li></ul></ul><ul><ul><li>Secure operating system (in relation to database system) </li></ul></ul><ul><ul><li>Secure web server (in relation to database system) </li></ul></ul><ul><ul><li>Secure network environment (in relation to database system) </li></ul></ul>
  4. 4. Secure Database(s) <ul><li>Traditional database security topics and issues </li></ul><ul><ul><li>Users and Passwords </li></ul></ul><ul><ul><ul><li>Default users/passwords </li></ul></ul></ul><ul><ul><ul><ul><li>Oracle: sys, system accounts – privileged, with default passwords </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Oracle: scott account – well-known account and password, part of public group </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>e.g. public can access all_users table </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Need for general password policies (length, domain, changing, protection, …) </li></ul></ul></ul><ul><ul><ul><li>Need for general account policies (who gets, what level of privilege, when expires, …) </li></ul></ul></ul>
  5. 5. Secure Database(s) – cont. <ul><ul><li>Privileges and Roles </li></ul></ul><ul><ul><ul><li>Privileges </li></ul></ul></ul><ul><ul><ul><ul><li>System – on actions (e.g. selecting, deleting, creating, …) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Object – on data objects (e.g. on particular table) </li></ul></ul></ul></ul><ul><ul><ul><li>Roles </li></ul></ul></ul><ul><ul><ul><ul><li>Collections of system privileges </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Advantage: easier management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Disadvantage: tend to give more privilege than needed </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Commonly heard Oracle user request: “Just give me DBA role to make it work and we’ll figure out the exact privilege I need later.” </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Grant / Revoke </li></ul></ul></ul><ul><ul><ul><ul><li>Giving (removing )privileges or roles to (from) users </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Problem – often done haphazardly </li></ul></ul></ul></ul><ul><ul><ul><li>Need for continual management of privileges and roles </li></ul></ul></ul><ul><ul><ul><li>Need for policies on privilege/role management </li></ul></ul></ul>
  6. 6. Secure DBMS <ul><li>Possible Holes in DBMS </li></ul><ul><ul><li>Oracle: http:// technet.oracle.com/deploy/security/alerts.htm (50+ listed) </li></ul></ul><ul><ul><ul><li>Types of exploits </li></ul></ul></ul><ul><ul><ul><ul><li>Buffer overflow problems in DBMS code </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others) </li></ul></ul></ul></ul><ul><ul><li>Similar information available for DB2, SQL Server, PostgreSQL, MySQL, … </li></ul></ul><ul><ul><li>Oracle: UTL_FILE package in PL/SQL </li></ul></ul><ul><ul><ul><li>allows read/write access to files in directory specified in utl_file_dir parameter in init.ora </li></ul></ul></ul><ul><ul><ul><li>possible access through symbolic links </li></ul></ul></ul>
  7. 7. Secure DBMS (cont.) <ul><li>Need for continual patching of DBMS </li></ul><ul><ul><li>Encourage awareness of DBMS vulnerability issues </li></ul></ul><ul><ul><li>Continuous vigilance is essential </li></ul></ul><ul><ul><li>Cost of not patching can be huge </li></ul></ul><ul><ul><ul><li>SQL Slammer Worm </li></ul></ul></ul><ul><ul><ul><ul><li>fast propagation – max scan rate of 55 million systems/second </li></ul></ul></ul></ul><ul><ul><ul><ul><li>affected approximately 80,000 systems, significant segments of Internet </li></ul></ul></ul></ul><ul><ul><ul><ul><li>376 byte UDP packet that exploited a buffer overflow vulnerability </li></ul></ul></ul></ul><ul><ul><ul><ul><li>patch had long been available </li></ul></ul></ul></ul><ul><ul><ul><ul><li>significant effects on business database servers </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Credit verification, Phone systems, Banks/ATMs </li></ul></ul></ul></ul></ul>
  8. 8. Secure DBMS (cont.) <ul><li>Use security features of DBMS </li></ul><ul><ul><li>Oracle: Virtual Private Databases (VPDs) </li></ul></ul><ul><ul><ul><li>Support for fine-grain data security (e.g. multiple clients can have data in same schema without knowing other data is there) </li></ul></ul></ul><ul><ul><li>Oracle: Oracle Label Security </li></ul></ul><ul><ul><ul><li>Use of VPDs to achieve row-level security, controlled from Policy Manager tool under Enterprise Manager </li></ul></ul></ul><ul><li>Implement auditing </li></ul><ul><ul><li>Good policy: develop a comprehensive audit system for database activity tracking </li></ul></ul><ul><ul><ul><li>DBMS tools, user-developed tools (e.g. using triggers) </li></ul></ul></ul><ul><ul><ul><li>Oracle: can write to OS as well as into database for additional security, accountability for all working with databases </li></ul></ul></ul>
  9. 9. Secure Application Development <ul><li>Access to database system is often through applications </li></ul><ul><li>Example: SQL Injection Attack through web front end </li></ul><ul><ul><li>Scenario: Software system tracks own usernames and passwords in database </li></ul></ul><ul><ul><li>Client application accepts username and password, passes as parameters </li></ul></ul><ul><ul><li>An SQL query is built dynamically, combining SQL text pieces in the server application and the client-supplied parameters </li></ul></ul><ul><ul><li>DBMS executes query on system user table, checks for valid user/password combination in this table </li></ul></ul><ul><ul><li>DBMS returns 0, 1 or more user/password rows to application </li></ul></ul><ul><ul><li>Application checks result and allows or denies access accordingly </li></ul></ul>
  10. 10. SQL Injection <ul><ul><li>Application Java code contains SQL statement: </li></ul></ul><ul><ul><ul><li>String query = &quot;SELECT * FROM users_table &quot; + </li></ul></ul></ul><ul><ul><ul><li> &quot; WHERE username = &quot; + &quot; ‘ &quot; + username + &quot; ‘ &quot; + </li></ul></ul></ul><ul><ul><ul><li>&quot; AND password = &quot; + &quot; ‘ &quot; + password + &quot; ‘ &quot; ; </li></ul></ul></ul><ul><ul><ul><li>- SQL strings must be single quoted </li></ul></ul></ul><ul><ul><li>Application is expecting one (valid) row to be returned if success, no rows if failure </li></ul></ul><ul><ul><li>Attacker enters arbitrary username: anyname , but special “password” of: Aa ‘ OR ‘ ‘ = ‘ </li></ul></ul><ul><ul><li>Dynamically-constructed query becomes: </li></ul></ul><ul><ul><li>SELECT * FROM users_table </li></ul></ul><ul><ul><li>WHERE username = ‘anyname‘ </li></ul></ul><ul><ul><li>AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; </li></ul></ul><ul><ul><li>Where clause: F AND F OR T => F OR T => T ! </li></ul></ul><ul><ul><li>All user rows returned to application </li></ul></ul><ul><ul><li>If application checking for 0 vs. more than 0 rows, attacker is in </li></ul></ul><ul><ul><li>Need to check application input – generally not good to allow special characters in through client-side parameters </li></ul></ul>
  11. 11. Secure Application Development <ul><li>Application Security in the Enterprise Environment </li></ul><ul><ul><li>J2EE </li></ul></ul><ul><ul><li>.NET </li></ul></ul><ul><ul><li>Large number of interactions between application environment and database systems </li></ul></ul><ul><li>Tactic: Use of Proxy Applications </li></ul><ul><ul><li>Assume network filtering most problem traffic </li></ul></ul><ul><ul><li>Application can control fine-grain behavior, application protocol security </li></ul></ul><ul><li>Security Patterns (from J2EE Design Patterns Applied) </li></ul><ul><ul><li>Single-Access Point Pattern </li></ul></ul><ul><ul><ul><li>single point of entry into system </li></ul></ul></ul><ul><ul><li>Check Point Pattern </li></ul></ul><ul><ul><ul><li>centralized enforcement of authorization when requesting resources </li></ul></ul></ul><ul><ul><li>Role Pattern </li></ul></ul><ul><ul><ul><li>disassociation of users and privileges for easier management </li></ul></ul></ul>
  12. 12. Secure Operating System <ul><li>Interaction of DBMS and OS </li></ul><ul><ul><li>Oracle on Windows </li></ul></ul><ul><ul><ul><li>Secure administrative accounts </li></ul></ul></ul><ul><ul><ul><li>Control registry access </li></ul></ul></ul><ul><ul><ul><li>Need good account policies </li></ul></ul></ul><ul><ul><ul><li>Others… </li></ul></ul></ul><ul><ul><li>Oracle on Linux/Unix </li></ul></ul><ul><ul><ul><li>Choose different account names than standard suggestions </li></ul></ul></ul><ul><ul><ul><li>Restrict use of the account that owns Oracle software </li></ul></ul></ul><ul><ul><ul><li>Secure temporary directory </li></ul></ul></ul><ul><ul><ul><li>Some Oracle files are SUID (root) </li></ul></ul></ul><ul><ul><ul><li>Command line SQL*Plus with user/pass parameters appears under ps output </li></ul></ul></ul><ul><ul><ul><li>Others… </li></ul></ul></ul>
  13. 13. Secure Web Server <ul><li>Interaction of Oracle and Web Server </li></ul><ul><li>Apache now provided within Oracle as its application server, started by default </li></ul><ul><li>Apache issues </li></ul><ul><ul><li>Standard configuration has some potential problems </li></ul></ul><ul><ul><ul><li>See Oracle Security Handbook for more discussion </li></ul></ul></ul><ul><ul><li>Ensure secure communication from web clients to web server </li></ul></ul><ul><ul><li>Use MaxClients to limit possible connections, avoid Denial of Service attacks </li></ul></ul><ul><ul><li>Others… </li></ul></ul><ul><li>Internet Information Server (IIS) issues </li></ul><ul><ul><li>Integration with other MS products (e.g. Exchange Server) </li></ul></ul><ul><ul><li>Known vulnerabilities </li></ul></ul><ul><ul><li>Others… </li></ul></ul>
  14. 14. Secure Web Server (cont.) <ul><li>Web is often front-end / gateway to DBMS </li></ul><ul><li>DBMS/database should be black-box to user </li></ul><ul><li>Attacker can force errors trying to gain information </li></ul><ul><li>Which error message should be displayed when asking for an incorrectly named Java Server Page? </li></ul>Sorry, that file is not found java.io.FileNotFoundException: /u01/prodcomm/portal/x.jsp at java.io.FileInputStream.open(Native method) at java.io.FileInputStream.(FileInputStream.java:64) at oracle.jsp.provider.JspFilesystemResource(…) at oracle.jsp.app.JspAppLoader.reloadPage(JSPAppLoader.java) … .
  15. 15. Secure Network <ul><li>Interaction of DBMS and Network </li></ul><ul><ul><li>DBMS server should be behind firewall </li></ul></ul><ul><ul><ul><li>Good to separate DB and web servers (mitigate losses if hacked) </li></ul></ul></ul><ul><ul><ul><li>DB server should be behind firewall, web server usually in DMZ </li></ul></ul></ul><ul><ul><ul><li>Oracle: Connections normally initiated on port 1521, but port is then dynamically selected – management of port access is made more difficult </li></ul></ul></ul><ul><ul><ul><ul><li>Anyone with Oracle client software who knows your host IP/name and database instance name can configure client to connect to your database instance </li></ul></ul></ul></ul><ul><ul><li>Oracle Advanced Security (OAS) product </li></ul></ul><ul><ul><ul><li>Features for: </li></ul></ul></ul><ul><ul><ul><ul><li>Authentication </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Integrity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Encryption – use of SSL </li></ul></ul></ul></ul><ul><ul><li>Other Network Issues To Consider </li></ul></ul><ul><ul><ul><li>Possibility of hijacking a privileged user connection </li></ul></ul></ul><ul><ul><ul><li>Various sniffing and spoofing issues </li></ul></ul></ul>
  16. 16. Messages Revisited <ul><li>Database system security is more than securing the database </li></ul><ul><ul><li>Secure database </li></ul></ul><ul><ul><li>Secure DBMS </li></ul></ul><ul><ul><li>Secure applications </li></ul></ul><ul><ul><li>Secure operating system </li></ul></ul><ul><ul><li>Secure web server </li></ul></ul><ul><ul><li>Secure network environment </li></ul></ul><ul><li>General security principles apply in database system security </li></ul><ul><ul><li>Security is a process, not a product </li></ul></ul><ul><ul><li>Security chain is only as strong as its weakest link </li></ul></ul><ul><ul><li>Best security defense utilizes multiple layers </li></ul></ul>
  17. 17. References <ul><li>“ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001. </li></ul><ul><li>“ Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999. </li></ul><ul><li>“ Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf </li></ul><ul><li>Again, slides and security links available at: </li></ul><ul><li>http://www.cs.uwec.edu/~wagnerpj/security/ </li></ul>

×