database security threats — mariadb security best practices
TRANSCRIPT
LAYOUT
Title Slide (Dark)
MariaDB Security Threats and Best Practices
LAYOUT
ComparisonPowerPoint Default
ThreatsViruses
Hacker attacks
Software spoofing
Defense• Do not allow TCP connections to
MariaDB from the Internet at large.
• Configure MariaDB to listen on a network interface that is only accessible from the host where your application runs.
• Design your physical network to connect the app to MariaDB
• Use bind-address to bind to a specific network interface
• Use your OS’s firewall
• Keep your OS patched
The Internet
LAYOUT
ComparisonPowerPoint Default
ThreatsDenial of Service
Attacks created by overloading application
SQL query injection attacks
Defense• Do not run your application
on your MariaDB Server.
• Do not install unnecessary packages on your MariaDB Server.
• An overloaded application can use so much memory that MariaDB could slow or even be killed by the OS. This is an effective DDoS attack vector.
• A compromised application or service can have many serious side effects
– Discovery of MariaDB credentials– Direct access to data– Privilege escalation
Applications
LAYOUT
ComparisonPowerPoint Default
Threats• Disgruntled employees
• Mistakes and human error
• Do not use the MariaDB “root” user for application access.
• Grant only the privileges required by your application.
• Minimize the privileges granted to the MariaDB user accounts used by your applications
– Don’t grant CREATE or DROP privileges.
– Don’t grant the FILE privilege.– Don’t grant the SUPER privilege.– Don’t grant access to the
mysql database
Defense• Limit users who have:
– SSH access to your MariaDB server.– Sudo privileges on your M
ariaDB server.
• Set the secure_file_priv option to ensure that users with the FILE privilege cannot write or read MariaDB data or important system files.
• Do not run mysqld as root
• Avoid ‘%”, use specific host names
Excessive Trust
LAYOUT
Title Only (Blue)
Best Practices ENCRYPTION
Encrypt some data in the application
Encrypt data at rest
Non-key data
Credit card numbers, PII etc
Encrypt data in transit using SSL
From clients to MariaDB MaxScale
From clients to MariaDB
Between MariaDB replicated servers
InnoDB tablespace encryption
InnoDB redo log encryption
Binary log encryption
LAYOUT
Title Only (Blue)
Best Practices USE A DATABASE PROXY
Restrict the operations that clients
(applications) are allowed to perform
Identify and flag
potentially dangerous
queries
Customize rules about
what’s allowed and what’s not
Use MariaDB MaxScale as a Database
Firewall
Implement connection
pooling capabilities
can protect against DDoS
attacks
LAYOUT
Title Only (Blue)
Best Practices USER MANAGEMENT
Use OS permissions to restrict access
to MariaDB data and backups
Use strong passwords
Allow root access to MariaDB only from local
clients—no administrative access
over the network
Use a separate MariaDB user account
for each of your applications
Use the unix_socket authentication plugin so
that only the OS root user can connect as the
MariaDB root user
Allow access from a minimal
set of IP addresses
LAYOUT
Title Only (Blue)
Best Practices AUDITING
Ensure regulatory compliance with robust logging
Use MariaDB Audit Plugin
Record connections,
query executions, and tables accessed
Use logs for forensic analysis after an incident
Logging either to a file or to syslog
LAYOUT
Section Header (Extensible)
MariaDB Enterprise SecurityFeatures
LAYOUT
ComparisonPowerPoint Default
Password ValidationSimple_password_check
plugin
Enforce a minimum password
length and type/number of characters to be used
External AuthenticationSingle Sign On is getting mandatory in most Enterprises.
PAM-Authentication Plugin allows using /etc/shadow and any PAM based authentication like LDAP
Kerberos-Authentication as a standardized network authentication protocol is provided GSSAPI based on UNIX and SSPI based on Windows
Applications
LAYOUT
Title OnlyPowerPoint Default
MariaDB Kerberos Authentication
GSS-API on Linux• Red Hat
Directory Server• OpenLDAP
SSPI on Windows• Active DirectoryKDC Client MariaDB
23
4
1
Ticket request
Serviceticket
Here is my service ticket,
authenticate me
Client / server
session
LAYOUT
Title OnlyPowerPoint Default
MariaDB Role Based Access Control
DBA
Developer
Sysadmin
Database Tables
MariaDB 10Role: DBA
Permissions:• Update Schema• View Statistics• Create Database
LAYOUT
ComparisonPowerPoint Default
Secured ConnectionsSSL Connections based on
the TLSv1.2 Protocol
Between MariaDB Connectors and Server
Between MariaDB Connectors and MaxScale
SSL can also be enabled for the replication channel
Encryption FunctionalitySelective Data-At-Rest Encryption
Application control of data encryption
Based on the AES (Advanced Encryption Standard) or DES (Data Encryption Standard) algorithm
Encryption for Data in Motion
LAYOUT
ComparisonPowerPoint Default
Data-at-Rest Encryption
• Everything: – Tables or tablespaces – Log files
• Independent of encryption capabilities of applications
• Based on encryption keys, key ids, key rotation and key versioning
Key Management Services• Encryption plugin API offers choice
– Plugin to implement the data encryption
– Manage encryption Keys
• MariaDB Enterprise options– Simple Key Management included – Amazon AWS KMS Plugin included– Eperi KMS for on premise key
management – optional
Encryption for Data Rest
LAYOUT
Title Only (Dark)
MariaDB Table-level Encryption
Tables and transaction logs are encrypted when
stored to disk
Completely transparent to applications
Several key-management
systems supported
Low performance overhead
Eperi | Amazon
LAYOUT
Title Only (Dark)
MariaDB Table-level encryptionEXAMPLE
CREATE TABLE names ( id int(11) NOT NULL PRIMARY KEY AUTO_INCREMENT, name varchar(255) DEFAULT NULL);INSERT INTO names VALUES(NULL, 'James Bond');INSERT INTO names VALUES(NULL, 'Felix Leiter');INSERT INTO names VALUES(NULL, 'Modesty Blaise');
$ sudo strings –n 10 data/test/names.ibdJames BondFelix LeiterModesty Blaise
Looking at the actual file
Without encryption
LAYOUT
Title Only (Dark)
MariaDB Table-level encryptionEXAMPLE
Looking at the actual file
Without encryption
CREATE TABLE secret_names ( id int(11) NOT NULL PRIMARY KEY AUTO_INCREMENT, name varchar(255) DEFAULT NULL) ENGINE=InnoDB ENCRYPTED=YES ENCRYPTION_KEY_ID=12;INSERT INTO secret_names VALUES(NULL, 'James Bond');INSERT INTO secret_names VALUES(NULL, 'Felix Leiter');INSERT INTO secret_names VALUES(NULL, 'Modesty Blaise');
$ sudo strings –n 10 data/test/secret_names.ibdT404bTfV6GHM:
LAYOUT
ComparisonPowerPoint Default
MariaDB Audit Plugin • Logs server activity
– Who connected to the server – Source of connection – Queries executed– Tables touched
• Be judicious in selecting what is audited– only choose what you can pay attention to– Don’t overwhelm the server with auditing
• File based or syslog based logging
Auditing for Security and Compliance
Connection Disconnect
Connect
Failed Connect
Timestamp Host User SessionQuery DML + TCL
DDL
DCL
ObjectTables
Database
LAYOUT
ComparisonPowerPoint Default
Attack Protection with MariaDB MaxScale
Database Firewall Denial of Service Attack Protection • MariaDB MaxScale
Persistent Connections
• Connection pooling protects against connection surges
• Cache the connections from MaxScale to the database server
• Rate limitation
• Client multiplexing
• Protects against SQL injection
• Prevents unauthorized user access and data damage
• White-list or Black-list Queries– Queries that match a set of rules– Queries matching rules
for specified users– Queries that match certain
patterns, columns, statement types
• Multiple ordered rule
LAYOUT
Title Only (Custom Image)
Send image to back or copy and paste
footer logo on top of image
MariaDB Security Gets Stronger All the Time
MariaDB User Community
Quickly identifies new
threats
Creates solutions
Reports vulnerabilities
Contributes features
LAYOUT
Thank You (Dark)
Thank you