Magnus Hagander
PostgreSQL supports several options for securing communications when deployed outside the typical webserver/database combination. This talk will go into some details about the features that make this possible, with some extra focus on the changes in 8.4. The main areas discussed are:
* Securing the channel between client and server using SSL, including an overview of the threats and how to secure against them
* Securing the login process, using LDAP, Kerberos or SSL certificates, including the use of smartcards to log into the database
The talk will not focus on security and access control inside the database once the user is connected and authenticated.
The slides are from a one hour talk introducing the various security mechanisms used in postgres. It includes an overview of authentication, session encryption and high performance querying techniques of asymmetric (public key) encrypted data using functional indexes. The talk was given in 2015 LinuxFest at Bellingham Washington
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
Are you looking to encrypt your data within PostgreSQL? We will review the various options available for encrypting data with PostgreSQL. We will also look at various options available to employ encryption and review various configuration and performance for using encryption.
There are a number of options available when encrypting data with PostgreSQL. When determining the mechanisms to use, it is important to understand the data, the application and how it is being used. We will compare different methods of encrypting data in their feature-sets and performance.
We will try to answer the following questions: Where do I enable the encryption? Where is my data safe and where is it exposed? Why should I use the various encryption modules available?
Security Best Practices for your Postgres DeploymentPGConf APAC
These slides were used by Sameer Kumar of Ashnik for presenting his topic at pgDay Asia 2016. He took audience through some of the security best practices for deploying and hardening PostgreSQL
Basic concept of nginx , Apache Vs Nginx , Nginx as Loadbalancer , Nginx as Reverse proxy , Configuration of nginx as load balancer and reverse proxy .
Joined by Rick Nelson, Technical Solutions architect from NGINX Server Density take you though the do's and don'ts of monitoring NGINX. Critical and non critical metrics to monitor, important alerts to configure and the best monitoring tools available.
The slides are from a one hour talk introducing the various security mechanisms used in postgres. It includes an overview of authentication, session encryption and high performance querying techniques of asymmetric (public key) encrypted data using functional indexes. The talk was given in 2015 LinuxFest at Bellingham Washington
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
Are you looking to encrypt your data within PostgreSQL? We will review the various options available for encrypting data with PostgreSQL. We will also look at various options available to employ encryption and review various configuration and performance for using encryption.
There are a number of options available when encrypting data with PostgreSQL. When determining the mechanisms to use, it is important to understand the data, the application and how it is being used. We will compare different methods of encrypting data in their feature-sets and performance.
We will try to answer the following questions: Where do I enable the encryption? Where is my data safe and where is it exposed? Why should I use the various encryption modules available?
Security Best Practices for your Postgres DeploymentPGConf APAC
These slides were used by Sameer Kumar of Ashnik for presenting his topic at pgDay Asia 2016. He took audience through some of the security best practices for deploying and hardening PostgreSQL
Basic concept of nginx , Apache Vs Nginx , Nginx as Loadbalancer , Nginx as Reverse proxy , Configuration of nginx as load balancer and reverse proxy .
Joined by Rick Nelson, Technical Solutions architect from NGINX Server Density take you though the do's and don'ts of monitoring NGINX. Critical and non critical metrics to monitor, important alerts to configure and the best monitoring tools available.
Learn how to load balance your applications following best practices with NGINX and NGINX Plus.
Join this webinar to learn:
- How to configure basic HTTP load balancing features
- The essential elements of load balancing: session persistence, health checks, and SSL termination
- How to load balance MySQL, DNS, and other common TCP/UDP applications
- How to have NGINX Plus automatically discover new service instances in an auto-scaling or microservices environment
Content caching is one of the most effective ways to dramatically improve the performance of a web site. In this webinar, we’ll deep-dive into NGINX’s caching abilities and investigate the architecture used, debugging techniques and advanced configuration. By the end of the webinar, you’ll be well equipped to configure NGINX to cache content exactly as you need.
View full webinar on demand at http://nginx.com/resources/webinars/content-caching-nginx/
A Performance Characterization of Postgres on Different Storage SystemsDong Ye
Performance is an important factor when considering different storage systems for Postgres. In this talk we present a detailed performance characteristics on a number of different storage systems including Fibre Channel SAN, Enterprise NAS, and local storage (SSD and SAS disks) behind hardware RAID controller with battery backed write cache. We look at both OLTP and OLAP workloads.
Presented at Postgres Open 2014
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
We continuously see great interest in MySQL load balancing and HAProxy, so we thought it was about time we organised a live webinar on the topic! Here is the replay of that webinar!
As most of you will know, database clusters and load balancing go hand in hand.
Once your data is distributed and replicated across multiple database nodes, a load balancing mechanism helps distribute database requests, and gives applications a single database endpoint to connect to.
Instance failures or maintenance operations like node additions/removals, reconfigurations or version upgrades can be masked behind a load balancer. This provides an efficient way of isolating changes in the database layer from the rest of the infrastructure.
In this webinar, we cover the concepts around the popular open-source HAProxy load balancer, and show you how to use it with your SQL-based database clusters. We also discuss HA strategies for HAProxy with Keepalived and Virtual IP.
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Presentation shows how ProxySQL can improve the HA in solution like MySQL async and sync replication without the need to increase the platform complexity.
October 14 2009 New York Web Performance Group Session.
Rusty Conover is talking about his experience at InfoGears building Content Delivery Network (CDN) on top of Amazon EC2
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
On-demand recording: https://www.nginx.com/resources/webinars/rate-limiting-nginx/
Learn how to mitigate DDoS and password-guessing attacks by limiting the number of HTTP requests a user can make in a given period of time.
This webinar will teach you how to:
* How to protect application servers from being overwhelmed with request limits
* About the burst and no‑delay features for minimizing delay while handling large bursts of user requests
* How to use the map and geo blocks to impose different rate limits on different HTTP user requests
* About using the limit_req_log_level directive to set logging levels for rate‑limiting events
About the webinar
A delay of even a few seconds for a screen to render is interpreted by many users as a breakdown in the experience. There are many reasons for these breakdowns in the user experience, one of which is DDoS attacks which tie up your system’s resources.
Rate limiting is a powerful feature of NGINX that can mitigate DDoS attacks, which would otherwise overload your servers and hinder application performance. In this webinar, we’ll cover basic concepts as well as advanced configuration. We will finish with a live demo that shows NGINX rate limiting in action.
This presentation explores a broad cross-section of enterprise Postgres deployments to identify key usage patterns and reveals important aspects of performance, scalability, and availability including:
* Challenges organizations encounter most frequently during the stages of database development, deployment and maintenance
* Tuning parameters used most frequently to improve performance of production databases
* Frequently problematic database maintenance processes and configuration parameters
* Most commonly-used database back-up and recovery strategies
Learn how to load balance your applications following best practices with NGINX and NGINX Plus.
Join this webinar to learn:
- How to configure basic HTTP load balancing features
- The essential elements of load balancing: session persistence, health checks, and SSL termination
- How to load balance MySQL, DNS, and other common TCP/UDP applications
- How to have NGINX Plus automatically discover new service instances in an auto-scaling or microservices environment
Content caching is one of the most effective ways to dramatically improve the performance of a web site. In this webinar, we’ll deep-dive into NGINX’s caching abilities and investigate the architecture used, debugging techniques and advanced configuration. By the end of the webinar, you’ll be well equipped to configure NGINX to cache content exactly as you need.
View full webinar on demand at http://nginx.com/resources/webinars/content-caching-nginx/
A Performance Characterization of Postgres on Different Storage SystemsDong Ye
Performance is an important factor when considering different storage systems for Postgres. In this talk we present a detailed performance characteristics on a number of different storage systems including Fibre Channel SAN, Enterprise NAS, and local storage (SSD and SAS disks) behind hardware RAID controller with battery backed write cache. We look at both OLTP and OLAP workloads.
Presented at Postgres Open 2014
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
We continuously see great interest in MySQL load balancing and HAProxy, so we thought it was about time we organised a live webinar on the topic! Here is the replay of that webinar!
As most of you will know, database clusters and load balancing go hand in hand.
Once your data is distributed and replicated across multiple database nodes, a load balancing mechanism helps distribute database requests, and gives applications a single database endpoint to connect to.
Instance failures or maintenance operations like node additions/removals, reconfigurations or version upgrades can be masked behind a load balancer. This provides an efficient way of isolating changes in the database layer from the rest of the infrastructure.
In this webinar, we cover the concepts around the popular open-source HAProxy load balancer, and show you how to use it with your SQL-based database clusters. We also discuss HA strategies for HAProxy with Keepalived and Virtual IP.
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
Presentation shows how ProxySQL can improve the HA in solution like MySQL async and sync replication without the need to increase the platform complexity.
October 14 2009 New York Web Performance Group Session.
Rusty Conover is talking about his experience at InfoGears building Content Delivery Network (CDN) on top of Amazon EC2
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
On-demand recording: https://www.nginx.com/resources/webinars/rate-limiting-nginx/
Learn how to mitigate DDoS and password-guessing attacks by limiting the number of HTTP requests a user can make in a given period of time.
This webinar will teach you how to:
* How to protect application servers from being overwhelmed with request limits
* About the burst and no‑delay features for minimizing delay while handling large bursts of user requests
* How to use the map and geo blocks to impose different rate limits on different HTTP user requests
* About using the limit_req_log_level directive to set logging levels for rate‑limiting events
About the webinar
A delay of even a few seconds for a screen to render is interpreted by many users as a breakdown in the experience. There are many reasons for these breakdowns in the user experience, one of which is DDoS attacks which tie up your system’s resources.
Rate limiting is a powerful feature of NGINX that can mitigate DDoS attacks, which would otherwise overload your servers and hinder application performance. In this webinar, we’ll cover basic concepts as well as advanced configuration. We will finish with a live demo that shows NGINX rate limiting in action.
This presentation explores a broad cross-section of enterprise Postgres deployments to identify key usage patterns and reveals important aspects of performance, scalability, and availability including:
* Challenges organizations encounter most frequently during the stages of database development, deployment and maintenance
* Tuning parameters used most frequently to improve performance of production databases
* Frequently problematic database maintenance processes and configuration parameters
* Most commonly-used database back-up and recovery strategies
Introduction to Vacuum Freezing and XIDPGConf APAC
These are slides which were used by Masahiko Sawada of NTT, Japan for his presentation at pgDay Asia. He spoke about internals of VACCUM and XID Wraparound issue of PosgreSQL.
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...Mark Wong
Fifth presentation in a speaker series sponsored by the Portland State University Computer Science Department. The series covers PostgreSQL performance with an OLTP (on-line transaction processing) workload called Database Test 2 (DBT-2). This presentation goes through results of different hardware RAID configurations to show why it is important to test your own hardware: it might be performing in way you don't expect.
The digital universe is huge and is growing at a stellar rate and along with it grows the data generated every second. By 2020, there will be nearly as many digital bits as there are stars in this universe. That effectively means infinite as per the reports published by IDC in 2014. InMobi has grown leaps and bounds globally in past few years and that has only caused the data here to grow exponentially. There are thousands of advertisers and publishers on InMobi network, handling the OLTP ( 200-300 GB ) and OLAP ( 14TB ) demands high availability and the best performance. To ensure the smoothness and 24/7 availability of our production database servers, we are using a lot of open source technologies to keep an eye on all the Postgresql servers running across different data centres. We have one of the biggest Postgresql Master-Slave Streaming Replication production setup and it is very important for us to monitor the database performance, production traffic and some analytics on top of each and every database server @InMobi.
These slides were used by Bruce Momjian for the keynote opening at pgDay Asia. He spoke about how the PostgreSQL project and the database software itself has shaped over last few years. Bruce is a core-community members and has been involved with PostgreSQL for about 20 years. He works at EnterpriseDB.
Josh Berkus
You've heard that PostgreSQL is the highest-performance transactional open source database, but you're not seeing it on YOUR server. In fact, your PostgreSQL application is kind of poky. What should you do? While doing advanced performance engineering for really high-end systems takes years to learn, you can learn the basics to solve performance issues for 80% of PostgreSQL installations in less than an hour. In this session, you will learn: -- The parts of database application performance -- The performance setup procedure -- Basic troubleshooting tools -- The 13 postgresql.conf settings you need to know -- Where to look for more information.
PostgreSQL Enterprise Class Features and CapabilitiesPGConf APAC
These are the slides used by Venkar from Fujitsu for his presentation at pgDay Asia 2016. He spoke about some of the Enterprise Class features of PostgreSQL database.
Lessons PostgreSQL learned from commercial databases, and didn’tPGConf APAC
This is the ppt used by Illay for his presentation at pgDay Asia 2016 - "Lessons PostgreSQL learned from commercial
databases, and didn’t". The talk takes you through some of the really good things that PostgreSQL has done really well and somethings that PostgreSQL can learn from other databases
This ppt was used by Devrim at pgDay Asia 2017. He talked about some important facts about WAL - Transaction Logs or xlogs in PostgreSQL. Some of these can really come handy on a bad day
PostgreSQL is one of the most loved databases and that is why AWS could not hold back from offering PostgreSQL as RDS. There are some really nice features in RDS which can be good for DBA and inspiring for Enterprises to build resilient solution with PostgreSQL.
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Lisa Dehner
This report provides a macro view of the architectural and engineering design industry in the U.S. in order to understand strategies employed by both successful and unsuccessful firms over the past 50 years. It also evaluates technological trends that design firms must embrace in order to maintain a competitive edge moving forward into the future.
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentAshnikbiz
Ashnik Database Solution Architect, Sameer Kumar, an Open Source database evangelist talked about the "Security Best Practices for your Postgres Deployment" at the recent pgDAy Asia event held in Singapore in March 2016.
Key areas he presented were:
- Security Model
- Security Features in Postgres
- Securing the access
- Avoiding common attacks
- Access Control and Securing data
- Logging and Auditing
- Patching – OS and PostgreSQL
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible).
I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
Using MCollective with Chef - cfgmgmtcamp.eu 2014Zachary Stevens
It's time to move beyond SSH for infrastructure management.
MCollective is an awesome orchestration framework.
Chef is an awesome configuration management tool.
Contrary to popular belief, they work great together.
Speaker notes available here: https://dl.dropboxusercontent.com/u/369373/cfgmgmtcamp.eu%202014%20-%20Chef%20%26%20MCollective.pdf
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableCommand Prompt., Inc
Aurynn Shaw
This mini-tutorial covers building a small application on Howdah, an open source, Python based web development framework by Commandprompt, Inc. We will cover the full process of designing a vertically coherent application on Howdah, integrating DB-level stored procedures, DB exception propagation through Exceptable, DB access through Simpycity, authentication through repoze.who, permissions through VerticallyChallenged, and application views through Pylons. By the end of the talk, we will have covered a full application built on The Stack, and how to cover common pitfalls in using Howdah components.
Scott Bailey
Few things we model in our databases are as complicated as time. The major database vendors have struggled for years with implementing the base data types to represent time. And the capabilities and functionality vary wildly among databases. Fortunately PostgreSQL has one of the best implementations out there. We will look at PostgreSQL's core functionality, discuss temporal extensions, modeling temporal data, time travel and bitemporal data.
Bruce Momjian
Pg_Migrator allows data to be transfered between major Postgres versions
without a dump/restore. This talk explains the internal workings of
pg_migrator and includes a pg_migrator demonstration
Adrian Klaver
An exploration of various Python projects (PyRTF,ReportLab,xlwt) that help with presenting your data in formats (rtf,pdf,xls) that other people want. I will step through a simple data extraction and conversion process using the above software to create an RTF,PDF and XLS file respectively.
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...Command Prompt., Inc
Jeff Davis
I'll be showing how the extensible pieces of PostgreSQL fit together to give you the full power of native functionality -- including performance. These pieces, when combined, make PostgreSQL able to do almost anything you can imagine. A variety add-ons have been very successful in PostgreSQL merely by using this extensibility. Examples in this talk will range from PostGIS (a GIS extension for PostgreSQL) to DBI-Link (manage any data source accessible via perl DBI).
Jeff Davis
UNIQUE indexes have long held a unique position among constraints: they are the only way to express a constraint that two tuples in a table conflict without resorting to triggers and locks (which severely impact performance). But what if you want to impose the constraint that one person can't be in two places at the same time? In other words, you have a schedule, and you want to be sure that two periods of time for the same person do not overlap. This is nearly impossible to do efficiently with the current version of PostgreSQL -- and most other database systems. I will be presenting Generalized Index Constraints, which is being submitted for inclusion in the next PostgreSQL release, along with the PERIOD data type (available now from PgFoundry). I will show how these can, together, offer a fast, scalable, and highly concurrent solution to a very common business requirement. A business requirement is still a requirement even if your current database system can't do it!
Implementing the Future of PostgreSQL Clustering with TungstenCommand Prompt., Inc
Robert Hodges
Users have traditionally used database clusters to solve database availability and performance requirements. However, clustering requirements are changing as hardware improvements make performance concerns obsolete for many users. In this talk I will discuss how the Tungsten project uses master/slave replication, group communications, and rules processing to develop easy-to-manage database clusters that solve database availability, protect data, and address hardware utilization. Our implementation is based on existing PostgreSQL capabilities like Londiste and WAL shipping, which we eventually plan to replace with our own log-based replication. Come see the future of database clustering with Tungsten!
Josh Berkus
Most users know that PostgreSQL has a 23-year development history. But did you know that Postgres code is used for over a dozen other database systems? Thanks to our liberal licensing, many companies and open source projects over the years have taken the Postgres or PostgreSQL code, changed it, added things to it, and/or merged it into something else. Illustra, Truviso, Aster, Greenplum, and others have seen the value of Postgres not just as a database but as some darned good code they could use. We'll explore the lineage of these forks, and go into the details of some of the more interesting ones.
Joshua D. Drake
Are you tired of not having a real solution for PITR? Enter PITRTools, a single and secure solution for using Point In Time Recovery for PostgreSQL.
Selena Deckelmann
Bucardo is a mature replication system for PostgreSQL that supports asynchronous replication for both master-slave and multi-master systems. Originally designed for slow and unreliable networks, it has remarkable recovery ability, an easy to use command-line interface and development is active! Uses for Bucardo include: a slave read-only database, multi-master replication, data warehousing and just having fun moving your data around! Will include overview replication for PostgreSQL in general, a tour of features, a basic configuration walk through and the much feared live demo!
Matt Smiley
This is a basic primer aimed primarily at developers or DBAs new to Postgres. The format is a Q/A style tour with examples, based on common questions and pitfalls. Begin with a quick tour of relevant parts of the postgres catalog, with an aim to answer simple but important questions like:
How many rows does the optimizer think my table has?
When was it last analyzed?
Which other tables also have a column named "foo"?
How often is this index used?
Rod Anderson
For the small business support person being able to provide PostgreSQL hosting for a small set of specific applications without having to build and support several Pg installations is necessary. By building a multi-tenant Pg cluster with one tenant per database and each application in it's own schema maintenance and support is much simpler. The issues that present themselves are how to provide and control dba and user access to the database and get the applications into their own schema. With this comes need to make logging in to the database (pg_hba.conf) as non-complex as possible.
Brent Friedman
- Three hour workshop format, 30 minutes or so on history, trends, quick review of normalization, 45 minutes on a normalization walk-through including everyone, then break into small teams (3-6 ppl) to do a 'normalization challenge' on a real world practical problem
Brent Friedman
- Three hour workshop format, 30 minutes or so on history, trends, quick review of normalization, 45 minutes on a normalization walk-through including everyone, then break into small teams (3-6 ppl) to do a 'normalization challenge' on a real world practical problem
Leo Hsu and Regina Obe
We'll demonstrate integrating PostGIS in both PHP and ASP.NET applications.
We'll demonstrate using the new PostGIS 1.5 geography offering to extend existing web applications with proximity analysis.
More advanced use to display maps and stats using OpenLayers, WMS/WFS services and roll your own WFS like service using the PostGIS KML/GML/and or GeoJSON output functions.
6. Authentication methods
● How do we determine who the
user is
● When do we determine who the
user is
7. pg_hba.conf
● Lets you use different auth
methods from different clients
● Not just limited to
username/password
● For convenience or security
● Internal or external
8. pg_hba.conf
local all all trust
host all all 127.0.0.1/32 trust
host webdb webuser 10.0.0.0/24 md5
host all @dba 192.168.0.0/24 gss
10. Trust Authentication
● Any user can be anyone he/she
claims to be!
● Anyone think this is a bad idea?
11. Username/password
● Normally, use md5 method
– crypt has been removed, avoid plaintext
● What everybody does
● What everybody expects
12. LDAP authentication
● To the client, username/password
● Backend verification is off-loaded
to directory server
● Common in enterprise
deployments
● Password policies, expiry, etc
13. LDAP authentication
● Single password not single signon
PostgreSQL
ct Server
onne
1. C sw o
rd
pa s
qu est ord
2. Re assw
e nd p
3. S
Client LDAP
Server
14. LDAP news in 9.0
● search/bind combination
● Can use non-cn fields in login
– Anything that's LDAP searchable
– Common choice: uid
15. RADIUS (new in 9.0)
● Remote Authentication Dial In User
Service
● Simple single-packet UDP service
● Original use-case: ISP dialup
● Common for one-time passwords, etc
● Good policy frameworks
16. Kerberos/GSSAPI/SSPI
● Single signon
● Same benefits as LDAP (mostly)
● Most common: Active Directory
● («krb5» is deprecated)
17. Kerberos/GSSAPI/SSPI
● Single password not single signon
PostgreSQL
t
Server
nt ticke
3. Prese
1. Req
u
est tic
ket
Client 2. Ret
urn tic KDC
ket
18. PAM
● Provided by OS
● Can do password, LDAP, etc
● Can also do Kerberos & friends
● One-time passwords
– RSA SecurID, Vasco, etc
– RADIUS (no need in 9.0)
21. SSL secured connections
● Enabled on the server (ssl=yes)
– Platform quirks!
● Optionally required through
pg_hba
● Optionally required in libpq
22. SSL secured connections
● Need to protect data in both
directions
● For example username/password
● Must know before connection is
started
– Unknown equals unprotected
23. SSL encryption
● SSL always requires a server
certificate
● Can be self-signed
● Does not need to be known by
client
27. Threats handled by SSL:
Eavesdropping
SELECT * FROM secret_stuff
Client Server
28. Eavesdropping
● Prevented by encrypting all data
● Key negotiation is automatic
– On initial connection
– After 512Mb traffic
● Server certificate used but not
verified
29. Key renegotiation
● Broken in the SSL protocol –
OOPS!
● Fixed SSL libraries are available
● Broken fixes were pushed by
vendors
● ssl_renegotiation_limit = 512MB
30. Threats handled by SSL:
Man in the middle
Valid SSL session
Valid SSL session
Fake server
Client Server
31. SSL server verification
● On top of encryption
● Validate that the server is who it
claims to be
● CA issues certificate, can be self-
signed
● CA certificate known by client
32. Threats handled by SSL:
Man in the middle
Valid SSL session
Fake server
Client Server
33. SSL client authentication
● On top of encryption
● Normally on top of server
verificateion, but not necessary
● CA issued certificate on client
● Match CN on certificate to user id
● Protect client certificate!
35. SSL client certificates
● Can also be used together with
other authentication
● Require client certificate
● Also require e.g.
username/password
36. SSL in libpq
● Controlled by sslmode parameter
● Or environment PGSSLMODE
● For security, must be set on client
– Remember, unknown = unsecure
37. Summary of libpq SSL modes
Compatible with server set
Protect against Performance
to...
Client Eavesdrop MITM SSL required SSL disabled overhead
Mode
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
38. Summary of libpq SSL modes
Compatible with server set
Protect against Performance
to...
Client Eavesdrop MITM SSL required SSL disabled overhead
Mode
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
39. Summary of libpq SSL modes
Compatible with server set
Protect against Performance
to...
Client Eavesdrop MITM SSL required SSL disabled overhead
Mode
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
40. Summary of libpq SSL modes
Compatible with server set
Protect against Performance
to...
Client Eavesdrop MITM SSL required SSL disabled overhead
Mode
disable no no FAIL works no
allow no no works works If necessary
prefer no no works works If possible
require yes no works FAIL yes
verify-ca yes yes works FAIL yes
verify-full yes yes works FAIL yes
41. Not a bad idea: ipsec
● If already deployed
● Application transparent
● Global policies
● Integrated management
● Somebody Elses Problem?