Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

2016 oSC MySQL Firewall Slide 1 2016 oSC MySQL Firewall Slide 2 2016 oSC MySQL Firewall Slide 3 2016 oSC MySQL Firewall Slide 4 2016 oSC MySQL Firewall Slide 5 2016 oSC MySQL Firewall Slide 6 2016 oSC MySQL Firewall Slide 7 2016 oSC MySQL Firewall Slide 8 2016 oSC MySQL Firewall Slide 9 2016 oSC MySQL Firewall Slide 10 2016 oSC MySQL Firewall Slide 11 2016 oSC MySQL Firewall Slide 12 2016 oSC MySQL Firewall Slide 13 2016 oSC MySQL Firewall Slide 14 2016 oSC MySQL Firewall Slide 15 2016 oSC MySQL Firewall Slide 16 2016 oSC MySQL Firewall Slide 17 2016 oSC MySQL Firewall Slide 18 2016 oSC MySQL Firewall Slide 19 2016 oSC MySQL Firewall Slide 20 2016 oSC MySQL Firewall Slide 21 2016 oSC MySQL Firewall Slide 22 2016 oSC MySQL Firewall Slide 23 2016 oSC MySQL Firewall Slide 24 2016 oSC MySQL Firewall Slide 25 2016 oSC MySQL Firewall Slide 26 2016 oSC MySQL Firewall Slide 27
Upcoming SlideShare
Openfest15 MySQL Plugin Development
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

2016 oSC MySQL Firewall

Download to read offline

MySQL Firewall is an application level firewall filter that intercepts incoming queries and validates them against a database of normalized "safe" queries.
As an integral part of the server it takes advantage of the parsing and normalization that is done anyway so it has minimal impact on normal operations.
The firewall has multiple modes. In learning mode it collects the incoming query normalization in a scratchpad that can be persisted to disk. In alert mode it will just alert the DBA for an unknown query but still let it pass.
And in protecting mode it will reject all unknown queries.
The firewall can be used to limit SQL injection or as a complement to the privilege system to support only particular front end applications.
We will go through all of the stages of installing, training and arming the MySQL firewall with understandable examples.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

2016 oSC MySQL Firewall

  1. 1. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Firewall Add an extra layer of security to your database server Georgi “Joro” Kodinov MySQL Server General Team Lead
  2. 2. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Georgi “Joro” Kodinov MySQL @ Oracle  Server General Team Lead  Works on MySQL since 2006  Specializes in:  Security  Client/server protocol  Monitoring  Loves history, diverse world cultures  A devoted Formula 1 fan (Go, Massa !)
  3. 3. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Agenda 3 Why a MySQL Firewall ? Firewall Architecture Installation and setup Operation Q&A
  4. 4. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Why a MySQL Firewall ? 4
  5. 5. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Simple ! Make SQL injection attacks harder ! 5
  6. 6. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | “And it wouldn’t be a proper DBIR if we didn’t raise a glass to one of the elder statesmen of web application hacking, SQL injection (SQLi)” – http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/ 6
  7. 7. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Why a MySQL Firewall ? • Better SQL applications security – User accounts can execute only application SQL • Defense in dept – Extra layer, works with the other methods • Minimum performance cost – Takes advantage of the server’s SQL processor • No need for application changes – Works inside the server 7 Other reasons
  8. 8. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Exploits of a Mom 8 https://xkcd.com/327/
  9. 9. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Firewall Architecture 9
  10. 10. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Firewall 10 Anatomy Firewall Plugin SELECT ?+? USE ? Engine • Compares incoming queries with the allowed list • Works on normalized statements • Multiple modes • Audit API plugin Statements Cache • Entirely in memory • Initialized from disk • Content visible through INFORMATION_SCHEMA
  11. 11. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Server MySQL Firewall 11 Operation SELECT 1+2 SELECT 1+2 SELECT 1+2 OR ..Deny Firewall Plugin SELECT ?+? USE ?
  12. 12. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Firewall Operation Diagram 12
  13. 13. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Installing The MySQL Firewall 13
  14. 14. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 14
  15. 15. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Installing the MySQL Firewall $ mysql -u root -p mysql < linux_install_firewall.sql mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode'; +---------------------+-------+ | Variable_name | Value | +---------------------+-------+ | mysql_firewall_mode | ON | +---------------------+-------+ 15 The command line version
  16. 16. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Operating the MySQL Firewall Case study: adding firewall protection to a WordPress installation 16
  17. 17. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | • Stock WordPress on apache2 • Uses the default wordpress@localhost MySQL account • Runs against a local MySQL server • MySQL server seeded with a user and a schema for WordPress • WordPress installation done with defaults 17 Step 1: Install WordPress
  18. 18. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Step 2: Put the Firewall Into Recording Mode • Command Line – $mysql -u root -p –e "CALL mysql.sp_set_firewall_mode('wordpress@localhost', 'RECORDING');“ • Workbench 18
  19. 19. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Step 3: Accumulate White List Actions • The non-trivial part ! • Click through all of the WordPress sequences that you want to be enabled – This will generate the queries • I have only clicked through saving a draft of a post 19
  20. 20. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Step 4: Inspect The Accumulated Rules 20
  21. 21. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Step 5: Shields Up ! Switch To Protecting Mode mysql> CALL mysql.sp_set_firewall_mode('wordpress@localhost', 'PROTECTING'); Query OK, 63 rows affected (0,00 sec) 21
  22. 22. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Step 6: Watch The Show ! mysql> show status like '%firewall%'; +----------------------------+-------+ | Variable_name | Value | +----------------------------+-------+ | Firewall_access_denied | 50 | | Firewall_access_granted | 664 | | Firewall_access_suspicious | 0 | | Firewall_cached_entries | 63 | +----------------------------+-------+ 4 rows in set (0,01 sec) mysql> show status like '%firewall%'; +----------------------------+-------+ | Variable_name | Value | +----------------------------+-------+ | Firewall_access_denied | 57 | | Firewall_access_granted | 706 | | Firewall_access_suspicious | 0 | | Firewall_cached_entries | 63 | +----------------------------+-------+ 4 rows in set (0,00 sec) mysql> show status like '%firewall%'; +----------------------------+-------+ | Variable_name | Value | +----------------------------+-------+ | Firewall_access_denied | 67 | | Firewall_access_granted | 782 | | Firewall_access_suspicious | 0 | | Firewall_cached_entries | 63 | +----------------------------+-------+ 4 rows in set (0,00 sec) 22
  23. 23. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | What Does the Application Get ? • $ client/mysql -u wordpress --protocol=tcp -p -e "select version()“ ERROR 1045 (28000) at line 1: Statement was blocked by Firewall • [Mon Jun 20 13:23:00.091246 2016] [:error] [pid 31596] [client 127.0.0.1:40226] WordPress database error Statement was blocked by Firewall for query SELECT * FROM wp_users WHERE user_email = 'test@test.com' made by edit_user, email_exists, get_user_by, WP_User::get_data_by, referer: http://localhost/blog/wp-admin/user- new.php • [Mon Jun 20 13:23:00.094753 2016] [:error] [pid 31596] [client 127.0.0.1:40226] WordPress database error Statement was blocked by Firewall for query SELECT * FROM wp_users WHERE user_email = 'test@test.com' made by edit_user, wp_insert_user, email_exists, get_user_by, WP_User::get_data_by, referer: http://localhost/blog/wp-admin/user-new.php 23
  24. 24. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Firewall Operation: What Else ? • Can log suspicious queries (not in the whitelist) instead of/in addition to blocking • The mysql.mysql_firewall_* tables are not special tables. – It’s just that the firewall reads them at installation time – And the stored programs write the INFORMATION_SCHEMA tables into them • Can reset the stats – mysql_firewall_flush_status() resets the status variables • Can manipulate rule-sets – Aggregate, prune, edit etc 24
  25. 25. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Questions And Answers Confidential – Oracle 25
  26. 26. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Confidential – Oracle 26
  • freshdaz

    Jun. 27, 2016

MySQL Firewall is an application level firewall filter that intercepts incoming queries and validates them against a database of normalized "safe" queries. As an integral part of the server it takes advantage of the parsing and normalization that is done anyway so it has minimal impact on normal operations. The firewall has multiple modes. In learning mode it collects the incoming query normalization in a scratchpad that can be persisted to disk. In alert mode it will just alert the DBA for an unknown query but still let it pass. And in protecting mode it will reject all unknown queries. The firewall can be used to limit SQL injection or as a complement to the privilege system to support only particular front end applications. We will go through all of the stages of installing, training and arming the MySQL firewall with understandable examples.

Views

Total views

540

On Slideshare

0

From embeds

0

Number of embeds

107

Actions

Downloads

26

Shares

0

Comments

0

Likes

1

×