20131003 pizzasessie db-security

3,037 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,037
On SlideShare
0
From Embeds
0
Number of Embeds
2,626
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • {}
  • 20131003 pizzasessie db-security

    1. 1. Database Security Jelmer de Reus Utrecht, 3 oktober 2013
    2. 2. Overview • • • • • • Inleiding en relevantie Netwerk ecosysteem Logs en Traps Incident & Event Management Operating Systems Implementatie • PostgreSQL • MySQL
    3. 3. Inleiding en relevantie • Voorbeelden Security Audits • Ontwikkelingen in attacks • • • • Automated reconnaissance Blind SQLi Bruteforce Pivoting • Ontwikkelingen in tools • Metasploit Framework • Fasttrack, SQLping • Database engines ontwikkelen mee
    4. 4. Netwerk Ecosysteem Overview •Deployment in het netwerk •Management access •Netwerk services •Logging •Traffic analysis/IPS
    5. 5. Netwerk Ecosysteem Deployment verschillen Services •DB server •DB server + Web server + ? Status •Proof-of-concept •OTA •Productie
    6. 6. Netwerk Ecosysteem Deployment issues •Management VLAN (iDRAC/ILO) •Productie VLAN • Private VLAN • Demilitarized Zone •Firewalling • • • • Minimale toegang Logging op specifieke rules IPS enabled indien mogelijk Rules onderhouden/auditen
    7. 7. Netwerk Ecosysteem Management VLAN
    8. 8. Logs en Traps Local vs remote logging issues Local logging •Log file bescherming •Log file capaciteit/rotation Remote issues •Waar naartoe? •Syslog •SNMPtrap
    9. 9. Logs en Traps Log file bescherming: append-only file flags op FreeBSD chflags •chflags sappnd <path>/file.log •ls -lo <path>/file.log Enforcement tegen root users •Securelevel +1 (in single user mode)
    10. 10. Logs en Traps Log file bescherming: append-only file flags op GNU/Linux file attributes •chattr -a <path>/file.log •lsattr <path>/file.log Enforcement tegen root users •?
    11. 11. Logs en Traps Append-only file flags op GNU/Linux DEMO
    12. 12. Incident & Event Management Security Incident & Event Management: •Inputs • • • • Host-based IDS Network IDS Syslog, snmptrap Netflow •Correlatie (SQLi -> id, prio, metadata -> Event) •Management software
    13. 13. Incident & Event Management Network IDS/IPS •Check Point IPS blade •Fortinet UTM IPS module •Juniper Mykonos Web Gateway •Snort IDS (FOSS) •SourceFire (nu: Cisco)
    14. 14. Incident & Event Management SIEM Software •Tripwire •Check Point SmartEvent •McAfee ESM •AlienVault OSSIM (FOSS)
    15. 15. Incident & Event Management DEMO
    16. 16. Incident & Event Management SIEM links op het web Check Point Smartevent Event Correlation Software Blade http://www.wickhill.com/products/vendors/product/412/Event-Correlation SmartEvent Software Blade http://rus.checkpoint.com/products/softwareblades/smartevent.html supported event sources http://www.checkpoint.com/products/home_promo/popups/eventia_2005.html McAfee DS SIEM / ESM device support http://www.mcafee.com/cn/resources/data-sheets/ds-siem-device-support-matrix.pdf Alienvault OSSIM How to configure network monitoring in VMware ESXi https://alienvault.bloomfire.com/series/3643 Event Log Integration Guides https://alienvault.bloomfire.com/series/3631 AlienVault Data Plugins - By Vendor https://alienvault.bloomfire.com/series/3631/posts/596580
    17. 17. Operating Systems Operating System issues •Hardening •Beheer • Patch Management • Onderhoud •Vendor support •Userland tools
    18. 18. Operating Systems Hardening (zie ook netwerk ecosysteem) •Alleen noodzakelijke services •Geen onnodige open poorten •Log files beschermen •Application/Execution control • GNU/Linux: AppArmor, SELinux • FreeBSD: MAC / Capsicum •Toegang strak trekken / bewaken
    19. 19. Database implementatie • • • • • • Management access Config files Tablespaces Authenticatie Permissies Role based access control
    20. 20. Database Implementatie PostgreSQL gebruikers en databases aanmaken
    21. 21. Database Implementatie PostgreSQL gebruikers en rechten
    22. 22. Database Implementatie PostgreSQL config files
    23. 23. Database Implementatie PostgreSQL logs
    24. 24. Database Implementatie MySQL gebruikers en permissies (1) adminos@publicwww01:~$ mysql -u root –p … mysql> show databases; | information_schema | | concrete5db01 | | mysql | | performance_schema | mysql> use mysql; mysql> select * from user; ... | Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | Create_tablespace_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections | plugin | authentication_string
    25. 25. Database Implementatie MySQL gebruikers en permissies (2) mysql> select Host,User,Select_priv,Alter_priv,Insert_priv from user; +-------------------------+------------------+-------------+------------+-------------+ | Host | User | Select_priv | Alter_priv | Insert_priv | +-------------------------+------------------+-------------+------------+-------------+ | localhost | root | Y | Y | Y | | publicwww01.localdomain | root | Y | Y | Y | | 127.0.0.1 | root | Y | Y | Y | | ::1 | root | Y | Y | Y | | localhost | concrete5usr | N | N | N | | localhost | debian-sys-maint | Y | Y | Y | | localhost | modxusr | N | N | N | | localhost | modxusr03 | N | N | N | +-------------------------+------------------+-------------+------------+-------------+
    26. 26. Database Implementatie MySQL gebruikers en permissies (3) mysql> show grants; +---------------------------------------------------------------------------------------------------------------------------------------+ | Grants for root@localhost | +---------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED BY PASSWORD 'ABCD' WITH GRANT OPTION | | GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION | +---------------------------------------------------------------------------------------------------------------------------------------+
    27. 27. Bedankt voor je tijd! • Vragen?

    ×