• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Database Systems Security
 

Database Systems Security

on

  • 15,322 views

Database Systems Security - Paul J. Wagner

Database Systems Security - Paul J. Wagner

Statistics

Views

Total Views
15,322
Views on SlideShare
14,881
Embed Views
441

Actions

Likes
14
Downloads
0
Comments
3

11 Embeds 441

http://www.academicafrica.org 257
http://www.secguru.com 86
http://www.auengineers.com 38
http://www.slideshare.net 29
http://auengineers.co.cc 21
http://www.auengineers.co.cc 4
http://auengineers.com 2
http://72.14.203.104 1
http://66.7.216.224 1
http://64.233.179.104 1
http://moodle.academicafrica.org 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

13 of 3 previous next Post a comment

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • you are great. i would like to learn more from you.I am a fresh DBA.
    Are you sure you want to
    Your message goes here
    Processing…
  • Impressive presentation of 'Database Systems Security'. You've shown your credibility on presentation with this slideshow. This one deserves thumbs up. I'm John, owner of www.freeringtones.ws/ . Hope to see more quality slides from you.

    Best wishes.
    Are you sure you want to
    Your message goes here
    Processing…
  • hey there,could you please mail this across to me,it will really help me for my function.thank you really much.
    Anisa
    http://financejedi.com http://healthjedi.com
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Database Systems Security Database Systems Security Presentation Transcript

    • Database Systems Security Paul J. Wagner University of Wisconsin – Eau Claire
    • Database Systems Security – Background
      • Need
        • Security curriculum is relatively light in database systems area
          • Focus currently on protecting information through network configuration, systems administration, application security
          • Need to specifically consider database system security issues
      • Goals
        • Understand security issues in a specific Oracle environment and in a general database system environment
        • Consider database security issues in context of general security principles and ideas
    • Main Message
      • Database system security is more than securing the database
        • Secure database
        • Secure DBMS
        • Secure applications
        • Secure operating system in relation to database system
        • Secure web server in relation to database system
        • Secure network environment in relation to database system
    • Secure databases
      • Traditional database security topics and issues
        • Users, Passwords
          • Default users/passwords
            • sys, system accounts – privileged, with default passwords
            • scott account – well-known account and password, part of public group
              • e.g. public can access all_users table
            • general password policies (length, domain, changing, protection)
        • Privileges, Roles, Grant/Revoke
          • Privileges
            • System - actions
            • Objects – data
          • Roles
            • Collections of system privileges
          • Grant / Revoke
            • Giving (removing )privileges or roles to (from) users
    • Secure DBMS
      • Possible Holes in DBMS
        • http:// technet.oracle.com/deploy/security/alerts.htm (50+ listed)
        • Buffer overflow problems in DBMS code
        • Miscellaneous attacks (Denial of Service, source code disclosure of JSPs, others)
        • UTL_FILE package in PL/SQL
          • allows read/write access to files in directory specified in utl_file_dir parameter in init.ora
          • possible access through symbolic links
      • Need for continual patching of DBMS
        • Encourage awareness of issues, continuous vigilance
        • Cost of not patching
          • SQL Slammer Worm
    • Secure Application Development
      • Access to Oracle Database or Environment Through Applications
      • Example: SQL Injection Attack through Web Application
        • Application tracks own usernames and passwords in database
        • Client accepts username and password, passes as parameters
        • Application Java code contains SQL statement:
          • String query = "SELECT * FROM users_table " +
          • " WHERE username = " + " ‘ " + username + " ‘ " +
          • " AND password = " + " ‘ " + password + " ‘ " ;
        • Expecting one row to be returned if success, no rows if failure
        • Attacker enters any username, password of: Aa ‘ OR ‘ ‘ = ‘
        • Query becomes: SELECT * FROM users_table WHERE username = ‘anyname‘ AND password = ‘Aa‘ OR ‘ ‘ = ‘ ‘; // F or T => T
        • All user rows returned to application
        • If application checking for 0 vs. more than 0 rows, attacker is in
    • Secure Application Development
      • Application Security in the Enterprise Environment
        • J2EE
        • .NET
      • Use of Proxy Applications
        • Assume network filtering most evil traffic
        • Application can control fine-grain behavior, application protocol security
      • Security Patterns (from J2EE Design Patterns Applied)
        • Single-Access Point Pattern
          • single point of entry into system
        • Check Point Pattern
          • centralized enforcement of authentication and authorization
        • Role Pattern
          • disassociation of users and privileges
    • Secure Operating System
      • Interaction of Oracle and OS
        • Windows
          • Secure administrative accounts
          • Control registry access
          • Need good account policies
          • Others…
        • Linux/Unix
          • Choose different account names than standard suggestions
          • Restrict use of the account that owns Oracle software
          • Secure temporary directory
          • Some Oracle files are SUID (root)
          • Command line SQL*Plus with user/pass parameters appears under ps output
          • Others…
    • Secure Web Server
      • Interaction of Oracle and Web Server
      • Apache now provided within Oracle as its application server, started by default
      • Apache issues
        • Standard configuration has some potential problems
          • See Oracle Security Handbook for more discussion
        • Ensure secure communication from web clients to web server
        • Use MaxClients to limit possible connections
        • Others…
      • Internet Information Server (IIS) issues
        • Integration with other MS products (e.g. Exchange Server)
        • Known vulnerabilities
        • Others…
    • Secure Network
      • Interaction of Oracle and Network
        • Oracle Advanced Security (OAS) product
          • Features for:
            • Authentication
            • Integrity
            • Encryption – use of SSL
        • Oracle server generally behind firewall
          • Good to separate DB and web servers
          • Connections normally initiated on port 1521, but then dynamically selected
        • Other Network Issues To Consider
          • Possibility of hijacking a sys/sysmgr connection
          • Various sniffing and spoofing issues
    • Miscellaneous Issues
      • Newer Oracle Security Features
        • Virtual Private Databases (VPDs)
        • Oracle Label Security
      • Auditing
        • Good policy: develop a comprehensive audit system for database activity tracking
          • Can write to OS as well as into database for additional security, accountability for all working with databases
    • Lab Exercise
      • Overall Security Examination of Oracle in Networked Environment
        • 1) Database: Set up Oracle client, test known database for:
          • Privileged access through sys or system accounts
          • Public access through scott, other known/discovered usernames
        • 2) DBMS: Check for known vulnerabilities
          • Check overall system level, patch level
          • Test for specific problems from Oracle list
        • 3) Application:
          • Test for SQL Injection, other application weaknesses
        • Similar types of tasks for OS, Web Server, Network components
        • Task: develop summary report, including specifics for all areas
    • References
      • “ Oracle Security Handbook” by Theriault and Newman; Osborne/Oracle Press, 2001.
      • “ Oracle Database Administration: The Essential Reference”, Kreines and Laskey; O’Reilly, 1999.
      • “ Investigation of Default Oracle Accounts”, http://www.pentest-limited.com/user-tables.pdf