Percona Live - Dublin 02 security + tuning
•
0 likes•177 views
This document discusses best practices for securing MySQL databases. It covers topics like authentication, authorization, encryption, firewalls, auditing, password policies, and regulatory compliance. Specific techniques are presented for securing MySQL against common attacks like SQL injection and protecting sensitive data through encryption. The document also provides an overview of security features in MySQL like the firewall, audit log, and transparent data encryption.
More Related Content
What's hot
What's hot (20)
Similar to Percona Live - Dublin 02 security + tuning
Similar to Percona Live - Dublin 02 security + tuning (20)
More from Mark Swarbrick
More from Mark Swarbrick (19)
Recently uploaded
Recently uploaded (20)
Percona Live - Dublin 02 security + tuning
- 5. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | • Poor ConfiguraGons – Set controls and change default se_ng • Over Privileged Accounts – Privilege Policies • Weak Access Control – Dedicated AdministraGve Accounts • Weak AuthenGcaGon – Strong Password Enforcement • Weak AudiGng – Compliance & Audit Policies • Lack of EncrypGon – Data, Backup, & Network EncrypGon • Proper CredenGal & Key Management – Use mysql_config_editor , Key Vaults • Unsecured Backups – Encrypted Backups • No Monitoring – Security Monitoring, Users, Objects • Poorly Coded ApplicaGons – Database Firewall 5 Database VulnerabiliGes
- 6. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Aiacks • SQL InjecGon – PrevenGon: DB Firewall, White List, Input ValidaGon • Buffer Overflow – PrevenGon: Frequently apply Database Solware updates, DB Firewall, White List, Input ValidaGon • Brute Force Aiack – PrevenGon: lock out accounts aler a defined number of incorrect aiempts. • Network Eavesdropping – PrevenGon: Require SSL/TLS for all ConnecGons and Transport • Malware – PrevenGon: Tight Access Controls, Limited Network IP access, Change default se_ngs, EncrypGon 6
- 7. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Malicious AcGons • InformaGon Disclosure: Obtain credit card and other personal informaGon – Defense: EncrypGon – Data and Network, Tighter Access Controls • Denial of Service: Run resource intensive queries – Defense: Resource Usage Limits – Set various limits – Max ConnecGons, Sessions, Timeouts, … • ElevaGon of Privilege: Retrieve and use administrator credenGals – Defense: Stronger authenGcaGon, Access Controls, AudiGng • Spoofing: Retrieve and use other credenGals – Defense: Stronger account and password policies • Tampering: Change data in the database, Delete transacGon records • Defense: Tighter Access Controls, AudiGng, Monitoring, Backups 7
- 8. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Regulatory Compliance • RegulaGons – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley: Accuracy of Financial Data – EU Data ProtecGon DirecGve: ProtecGon of Personal Data – Data ProtecGon Act (UK): ProtecGon of Personal Data • Requirements – ConGnuous Monitoring (Users, Schema, Backups, etc) – Data ProtecGon (EncrypGon, Privilege Management, etc.) – Data RetenGon (Backups, User AcGvity, etc.) – Data AudiGng (User acGvity, etc.) 8
- 9. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | PCI-DSS • Requirement 2: Secure ConfiguraGons, Security Se_ngs & Patching – Not Using Vendor Default Passwords and Security Se_ngs • Requirement 3: ProtecGng Cardholder Data – Strong Cryptography – Protect Stored Cardholder Data – Protect EncrypGon Keys • Requirement 6: Up to Date Patching and Secure Systems – Develop and Maintain Secure Systems and ApplicaGons • Requirement 7: User Access and AuthorizaGon – Restrict Access to Cardholder Data by Need to Know • Requirement 8: IdenGty and Access Management – IdenGfy and AuthenGcate Access to System Components • Requirement 10: Monitoring, Tracking and AudiGng – Track and Monitor Access to Cardholder Data 9 White Paper A Guide to MySQL and PCI Compliance
- 10. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | DBA ResponsibiliGes • Ensure only users who should get access, can get access • Limit what users and applicaGons can do • Limit from where users and applicaGons can access data • Watch what is happening, and when it happened • Make sure to back things up securely • Minimize aiack surface • Ensure encrypGon keys are protected and managed
- 13. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL AuthorizaGon • AdministraGve Privileges • Database Privileges • Session Limits and Object Privileges • Fine grained controls over user privileges – CreaGng, altering and deleGng databases – CreaGng, altering and deleGng tables – Execute INSERT, SELECT, UPDATE, DELETE queries – Create, execute, or delete stored procedures and with what rights – Create or delete indexes 13 Security Privilege Management in MySQL Workbench
- 14. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL AuthenGcaGon • Built in AuthenGcaGon – user table stores users and encrypted passwords • X.509 – Server authenGcates client cerGficates • MySQL NaGve, SHA 256 Password plugin – NaGve uses SHA1 or plugin with SHA-256 hashing and per user salGng for user account passwords. • MySQL Enterprise AuthenGcaGon – Microsol AcGve Directory – Linux PAMs (Pluggable AuthenGcaGon Modules) • Support LDAP and more • Custom AuthenGcaGon 14
- 15. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Password Policies • Accounts without Passwords – Assign passwords to all accounts to prevent unauthorized use • Password ValidaGon Plugin – Enforce Strong Passwords • Password ExpiraGon/RotaGon – Require users to reset their password • Account lockout (in v. 5.7) 15
- 16. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL EncrypGon • SSL/TLS EncrypGon – Between MySQL clients and Server – ReplicaGon: Between Master & Slave • Data EncrypGon – AES Encrypt/Decrypt • MySQL Enterprise TDE – Transparent Data Enc rypGon – Key Management (KMIP) 16 • MySQL Enterprise EncrypGon – Asymmetric Encrypt/Decrypt – Generate Public Key and Private Keys – Derive Session Keys – Digital Signatures • MySQL Enterprise Backup – AES Encrypt/Decrypt
- 19. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenGal – Internal 19 MySQL Database Hardening User Management • Remove Extra Accounts • Grant Minimal Privileges • Audit users and privileges ConfiguraGon • Firewall • AudiGng and Logging • Limit Network Access • Monitor changes InstallaGon • Mysql_secure_installaGon • Keep MySQL up to date • MySQL Installer for Windows • Yum/Apt Repository Backups • Monitor Backups • Encrypt Backups EncrypGon • SSL/TLS for Secure ConnecGons • Data EncrypGon (AES, RSA) • TDE Passwords • Strong Password Policy • Hashing, ExpiraGon • Password ValidaGon Plugin
- 20. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL 5.7 Linux Packages - Security Improvements • Test/Demo database has been removed – Now in separate packages • Anonymous account creaGon is removed. • CreaGon of single root account – local host only • Default installaGon ensures encrypted communicaGon by default – AutomaGc generaGon of SSL/RSA Certs/Keys • For EE : At server startup if opGons Certs/Keys were not set • For CE : Through new mysql_ssl_rsa_setup uGlity • AutomaGc detecGon of SSL Certs/Keys 20 • Client aiempts secure TLS connecGon by default • Compile Gme restricGon over locaGon used for data import/export operaGons • Ensures locaGon has restricted access • Only mysql user and group • Supports disabling data import/export • Set secure-file-priv to empty string MySQL Installer for Windows includes various Security Setup and Hardening Steps
- 21. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise EdiGon • MySQL Enterprise AuthenGcaGon – External AuthenGcaGon Modules • Microsol AD, Linux PAMs • MySQL Enterprise EncrypGon – Public/Private Key Cryptography – Asymmetric EncrypGon – Digital Signatures, Data ValidaGon • MySQL Enterprise Firewall – Block SQL InjecGon Aiacks – Intrusion DetecGon • MySQL Enterprise Audit – User AcGvity AudiGng, Regulatory Compliance 21 • MySQL Enterprise Monitor – Changes in Database ConfiguraGons, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encrypGon • MySQL Enterprise TDE – AES 256 encrypGon – Key Management
- 22. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Enforce MySQL Security Best PracGces – IdenGfies VulnerabilGes – Assesses current setup against security hardening policies • Monitoring & AlerGng – User Monitoring – Password Monitoring – Schema Change Monitoring – Backup Monitoring – ConfiguraGon Management – ConfiguraGon Tuning Advice • Centralized User Management 22 "I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.” Sandi Barr Sr. Solware Engineer Schneider Electric
- 23. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Block SQL InjecGon Aiacks – Allow: SQL Statements that match Whitelist – Block: SQL statements that are not on Whitelist • Intrusion DetecGon System – Detect: SQL statements that are not on Whitelist • SQL Statements execute and alert administrators 23 Select *.* from employee where id=22 Select *.* from employee where id=22 or 1=1 Block ✖ Allow ✔ White List Applica6ons Detect & Alert Intrusion DetecGon
- 24. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise AuthenGcaGon 24 • Integrate with Centralized AuthenGcaGon Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles • PAM (Pluggable AuthenGcaGon Modules) – Standard interface (Unix, LDAP, Kerberos, others) – Windows • Access naGve Windows service - Use to AuthenGcate users using Windows AcGve Directory or to a naGve host Integrates MySQL with exisGng security infrastructures
- 25. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise EncrypGon • MySQL encrypGon funcGons – Symmetric encrypGon AES256 (All EdiGons) – Public-key / asymmetric cryptography – RSA • Key management funcGons – Generate public and private keys – Key exchange methods: DH • Sign and verify data funcGons – Cryptographic hashing for digital signing, verificaGon, & validaGon – RSA,DSA 25
- 26. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database AudiGng • “Trust but verify" approach to security – Ensure users with strong privileges don’t misuse those privileges • Business Audit – Data Validity – Here’s proof my database data is accurate/correct – Prove no tampering to data has occurred • Forensic analysis – as a component of any defense-in-depth strategy – ProacGve - Am being / Was hacked – ReacGve – How were we hacked, what was changed, taken, etc. 26 Maintaining an audit trail is an essenGal security best pracGce
- 27. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit • Out-of-the-box logging of connecGons, logins, and query • Simple to fine grained policies for filtering, and log rotaGon • Dynamically enabled, disabled: no server restart • XML-based audit stream – Send data to a remote server / audit data vault • Oracle Audit Vault • Splunk, etc. 27 Adds “regulatory compliance” to MySQL applicaGons (HIPAA, Sarbanes-Oxley, PCI, etc.)
- 28. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Backup • Online Backup for InnoDB (scriptable interface) • Full, Incremental, ParGal Backups (with compression) • Strong EncrypGon (AES 256) • Point in Time, Full, ParGal Recovery opGons • Metadata on status, progress, history • Scales – High Performance/Unlimited Database Size • Windows, Linux, Unix • CerGfied with Oracle Secure Backup, NetBackup, Tivoli, others 28
- 32. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Hardware: The Perfect MySQL Server • The more cores the beier (especially for 5.5 and later) • x86_64 - 64 bit for more memory is important – The more the beier • Fast HD (10-15k RPM SATA) or NAS/SAN…… – RAID 10 for most, RAID 5 OK if very read intensive – Hardware RAID baiery backed up cache criGcal! – More disks are always beier! - 4+ recommended, 8-16 can increase IO • …Or SSD (for higher throughput) – Intel, Fusion-IO good choices; good opGon for Slaves • At least 2 x NICs for redundancy • Slaves should be as powerful as the Master
- 33. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | The World s Most Popular Open Source DatabaseCopyright 2010 Oracle Schemas • Size = performance, smaller is beier – Size right! Do not automaGcally use 255 for VARCHAR • Temp tables, most caches, expand to full size • Use procedure analyse to determine the opGmal types given the values in your table – hip://dev.mysql.com/doc/refman/5.1/en/procedure-analyse.html – mysql> select * from tab procedure analyse (64,2000) G • Consider the types: – enum : hip://dev.mysql.com/doc/refman/5.1/en/enum.html – set : hip://dev.mysql.com/doc/refman/5.1/en/set.html • Compress large strings – Use the MySQL COMPRESS and UNCOMPRESS funcGons
- 34. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | The World s Most Popular Open Source DatabaseCopyright 2010 Oracle Innodb tuning InnoDB Buffer Size InnoDB Log size Query Cache Tmpdir / datadir MyISAM
- 35. Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | MySQL Performance Schema • IdenGfy performance boilenecks • IdenGfy problemaGc queries • Get real Gme insight into locks • See exactly what is happening within MySQL • Get real Gme insight into MySQL internals • Get real Gme insight into query execuGons 35 mysql> select * from host_summary_by_stages; +------+--------------------------------+-------+-----------+-----------+ | host | event_name | total | wait_sum | wait_avg | +------+--------------------------------+-------+-----------+-----------+ | hal | stage/sql/Opening tables | 889 | 1.97 ms | 2.22 us | | hal | stage/sql/Creating sort index | 4 | 1.79 ms | 446.30 us | | hal | stage/sql/init | 10 | 312.27 us | 31.23 us | | hal | stage/sql/checking permissions | 10 | 300.62 us | 30.06 us | | hal | stage/sql/freeing items | 5 | 85.89 us | 17.18 us | | hal | stage/sql/statistics | 5 | 79.15 us | 15.83 us | | hal | stage/sql/preparing | 5 | 69.12 us | 13.82 us | | hal | stage/sql/optimizing | 5 | 53.11 us | 10.62 us | | hal | stage/sql/Sending data | 5 | 44.66 us | 8.93 us | | hal | stage/sql/closing tables | 5 | 37.54 us | 7.51 us | | hal | stage/sql/System lock | 5 | 34.28 us | 6.86 us | | hal | stage/sql/query end | 5 | 24.37 us | 4.87 us | | hal | stage/sql/end | 5 | 8.60 us | 1.72 us | | hal | stage/sql/Sorting result | 5 | 8.33 us | 1.67 us | | hal | stage/sql/executing | 5 | 5.37 us | 1.07 us | | hal | stage/sql/cleaning up | 5 | 4.60 us | 919.00 ns | +------+--------------------------------+-------+-----------+-----------+