View
111
Download
2
Category
Preview:
Citation preview
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLSecurity:BestPracGcesMarkSwarbrickPrinciplePresalesConsultantUk&I
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecGon.ItisintendedforinformaGonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncGonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andGmingofanyfeaturesorfuncGonalitydescribedforOracle’sproductsremainsatthesolediscreGonofOracle.
ConfidenGal–OracleInternal/Restricted/HighlyRestricted 2
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
43%ofcompanieshaveexperiencedadatabreachinthepastyear.Source:PonemonInsGtute,2014
OracleConfidenGal–Internal/Restricted/HighlyRestricted 3
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MegaBreaches
552MillionidenGGesexposedin2013.493%increaseoverpreviousyear 77%WebsiteswithvulnerabiliGes.
1-in-8ofallwebsiteshadacriGcalvulnerability.
8Breachesthatexposedmorethan10millionrecordsin2013.
TotalBreachesincreased62%in2013
OracleConfidenGal–Internal/Restricted/HighlyRestricted 4
Source:InternetSecurityThreatReport2014,Symantec
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
• PoorConfiguraGons– Setcontrolsandchangedefaultse_ng
• OverPrivilegedAccounts– PrivilegePolicies
• WeakAccessControl– DedicatedAdministraGveAccounts
• WeakAuthenGcaGon– StrongPasswordEnforcement
• WeakAudiGng– Compliance&AuditPolicies
• LackofEncrypGon– Data,Backup,&NetworkEncrypGon
• ProperCredenGal&KeyManagement– Usemysql_config_editor,KeyVaults
• UnsecuredBackups– EncryptedBackups
• NoMonitoring– SecurityMonitoring,Users,Objects
• PoorlyCodedApplicaGons– DatabaseFirewall
5
DatabaseVulnerabiliGes
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAiacks• SQLInjecGon
– PrevenGon:DBFirewall,WhiteList,InputValidaGon
• BufferOverflow– PrevenGon:FrequentlyapplyDatabaseSolwareupdates,DBFirewall,WhiteList,InputValidaGon
• BruteForceAiack– PrevenGon:lockoutaccountsaleradefinednumberofincorrectaiempts.
• NetworkEavesdropping– PrevenGon:RequireSSL/TLSforallConnecGonsandTransport
• Malware– PrevenGon:TightAccessControls,LimitedNetworkIPaccess,Changedefaultse_ngs,EncrypGon
6
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseMaliciousAcGons• InformaGonDisclosure:ObtaincreditcardandotherpersonalinformaGon
– Defense:EncrypGon–DataandNetwork,TighterAccessControls
• DenialofService:Runresourceintensivequeries– Defense:ResourceUsageLimits–Setvariouslimits–MaxConnecGons,Sessions,Timeouts,…
• ElevaGonofPrivilege:RetrieveanduseadministratorcredenGals– Defense:StrongerauthenGcaGon,AccessControls,AudiGng
• Spoofing:RetrieveanduseothercredenGals– Defense:Strongeraccountandpasswordpolicies
• Tampering:Changedatainthedatabase,DeletetransacGonrecords• Defense:TighterAccessControls,AudiGng,Monitoring,Backups
7
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
RegulatoryCompliance• RegulaGons
– PCI–DSS:PaymentCardData– HIPAA:PrivacyofHealthData– SarbanesOxley:AccuracyofFinancialData– EUDataProtecGonDirecGve:ProtecGonofPersonalData– DataProtecGonAct(UK):ProtecGonofPersonalData
• Requirements– ConGnuousMonitoring(Users,Schema,Backups,etc)– DataProtecGon(EncrypGon,PrivilegeManagement,etc.)– DataRetenGon(Backups,UserAcGvity,etc.)– DataAudiGng(UseracGvity,etc.)
8
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PCI-DSS• Requirement2:SecureConfiguraGons,SecuritySe_ngs&Patching
– NotUsingVendorDefaultPasswordsandSecuritySe_ngs
• Requirement3:ProtecGngCardholderData–StrongCryptography– ProtectStoredCardholderData– ProtectEncrypGonKeys
• Requirement6:UptoDatePatchingandSecureSystems– DevelopandMaintainSecureSystemsandApplicaGons
• Requirement7:UserAccessandAuthorizaGon– RestrictAccesstoCardholderDatabyNeedtoKnow
• Requirement8:IdenGtyandAccessManagement– IdenGfyandAuthenGcateAccesstoSystemComponents
• Requirement10:Monitoring,TrackingandAudiGng– TrackandMonitorAccesstoCardholderData
9
WhitePaper
AGuidetoMySQL
andPCICompliance
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DBAResponsibiliGes• Ensureonlyuserswhoshouldgetaccess,cangetaccess• LimitwhatusersandapplicaGonscando• LimitfromwhereusersandapplicaGonscanaccessdata• Watchwhatishappening,andwhenithappened• Makesuretobackthingsupsecurely• Minimizeaiacksurface• EnsureencrypGonkeysareprotectedandmanaged
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 11
MySQLSecurityOverviewAuthenGcaGon
AuthorizaGon
EncrypGon
Firewall
MySQLSecurity
AudiGng
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
BlockThreats
AudiGng
RegulatoryCompliance
LoginandQueryAcGviGes
SSL/TLS
Public/PrivateKey
TransparentEncrypGon
KeyManagement
PrivilegeManagement
AdministraGon
Database&Objects
ProxyUsers
MySQL
Linux/LDAP
WindowsAD
Custom
OracleConfidenGal–Internal 12
MySQLSecurityOverview
AuthorizaGonAuthenGcaGon
Firewall&AudiGngEncrypGon
Security
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLAuthorizaGon• AdministraGvePrivileges• DatabasePrivileges• SessionLimitsandObjectPrivileges• Finegrainedcontrolsoveruserprivileges
– CreaGng,alteringanddeleGngdatabases– CreaGng,alteringanddeleGngtables– ExecuteINSERT,SELECT,UPDATE,DELETEqueries– Create,execute,ordeletestoredproceduresandwithwhatrights– Createordeleteindexes
13
SecurityPrivilegeManagementinMySQLWorkbench
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLAuthenGcaGon• BuiltinAuthenGcaGon
– usertablestoresusersandencryptedpasswords
• X.509– ServerauthenGcatesclientcerGficates
• MySQLNaGve,SHA256Passwordplugin– NaGveusesSHA1orpluginwithSHA-256hashingandperusersalGngforuseraccountpasswords.
• MySQLEnterpriseAuthenGcaGon– MicrosolAcGveDirectory– LinuxPAMs(PluggableAuthenGcaGonModules)
• SupportLDAPandmore
• CustomAuthenGcaGon
14
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLPasswordPolicies• AccountswithoutPasswords
– Assignpasswordstoallaccountstopreventunauthorizeduse• PasswordValidaGonPlugin
– EnforceStrongPasswords• PasswordExpiraGon/RotaGon
– Requireuserstoresettheirpassword• Accountlockout(inv.5.7)
15
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEncrypGon• SSL/TLSEncrypGon
– BetweenMySQLclientsandServer– ReplicaGon:BetweenMaster&Slave
• DataEncrypGon– AESEncrypt/Decrypt
• MySQLEnterpriseTDE– TransparentDataEncrypGon– KeyManagement(KMIP)
16
• MySQLEnterpriseEncrypGon– AsymmetricEncrypt/Decrypt– GeneratePublicKeyandPrivateKeys– DeriveSessionKeys– DigitalSignatures
• MySQLEnterpriseBackup– AESEncrypt/Decrypt
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseFirewall• SQLInjecGonAiacks
– #1WebApplicaGonVulnerability– 77%ofWebSiteshadvulnerabiliGes
• MySQLEnterpriseFirewall– Monitordatabasestatementsinreal-Gme– AutomaGcWhiteList“rules”generaGonforanyapplicaGon– BlockSQLInjecGonAiacks– IntrusionDetecGonSystem
17
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAudiGng• AudiGngforSecurity&Compliance
– FIPS,HIPAA,PCI-DSS,SOX,DISASTIG,…• MySQLbuilt-inlogginginfrastructure:
– generallog,errorlog• MySQLEnterpriseAudit
– GranularitymadeforaudiGng– Canbemodifiedlive– ContainsaddiGonaldetails– CompaGblewithOracleAuditVault.
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenGal–Internal 19
MySQLDatabaseHardeningUserManagement
• RemoveExtraAccounts
• GrantMinimalPrivileges
• Auditusersandprivileges
ConfiguraGon• Firewall• AudiGngandLogging• LimitNetworkAccess
• Monitorchanges
InstallaGon• Mysql_secure_installaGon
• KeepMySQLuptodate
• MySQLInstallerforWindows
• Yum/AptRepository
Backups
• MonitorBackups
• EncryptBackups
EncrypGon• SSL/TLSforSecureConnecGons
• DataEncrypGon(AES,RSA)• TDE
Passwords• StrongPasswordPolicy• Hashing,ExpiraGon• PasswordValidaGonPlugin
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQL5.7LinuxPackages-SecurityImprovements• Test/Demodatabasehasbeenremoved
– Nowinseparatepackages
• AnonymousaccountcreaGonisremoved.
• CreaGonofsinglerootaccount–localhostonly• DefaultinstallaGonensuresencryptedcommunicaGonbydefault– AutomaGcgeneraGonofSSL/RSACerts/Keys
• ForEE:AtserverstartupifopGonsCerts/Keyswerenotset
• ForCE:Throughnewmysql_ssl_rsa_setupuGlity
• AutomaGcdetecGonofSSLCerts/Keys
20
• ClientaiemptssecureTLSconnecGonbydefault
• CompileGmerestricGonoverlocaGonusedfordataimport/exportoperaGons
• EnsureslocaGonhasrestrictedaccess• Onlymysqluserandgroup
• Supportsdisablingdataimport/export
• Setsecure-file-privtoemptystring
MySQLInstallerforWindowsincludesvariousSecuritySetupandHardeningSteps
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEdiGon• MySQLEnterpriseAuthenGcaGon
– ExternalAuthenGcaGonModules• MicrosolAD,LinuxPAMs
• MySQLEnterpriseEncrypGon– Public/PrivateKeyCryptography– AsymmetricEncrypGon– DigitalSignatures,DataValidaGon
• MySQLEnterpriseFirewall– BlockSQLInjecGonAiacks– IntrusionDetecGon
• MySQLEnterpriseAudit– UserAcGvityAudiGng,RegulatoryCompliance
21
• MySQLEnterpriseMonitor– ChangesinDatabaseConfiguraGons,UsersPermissions,DatabaseSchema,Passwords
• MySQLEnterpriseBackup– SecuringBackups,AES256encrypGon
• MySQLEnterpriseTDE– AES256encrypGon– KeyManagement
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseMonitor• EnforceMySQLSecurityBestPracGces
– IdenGfiesVulnerabilGes– Assessescurrentsetupagainstsecurityhardeningpolicies
• Monitoring&AlerGng– UserMonitoring– PasswordMonitoring– SchemaChangeMonitoring– BackupMonitoring
– ConfiguraGonManagement– ConfiguraGonTuningAdvice
• CentralizedUserManagement
22
"IdefinitelyrecommendtheMySQLEnterpriseMonitortoDBAswhodon'thaveatonofMySQLexperience.ItmakesmonitoringMySQLsecurity,performanceandavailabilityveryeasytounderstandandtoacton.”
SandiBarrSr.SolwareEngineer
SchneiderElectric
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• BlockSQLInjecGonAiacks
– Allow:SQLStatementsthatmatchWhitelist– Block:SQLstatementsthatarenotonWhitelist
• IntrusionDetecGonSystem– Detect:SQLstatementsthatarenotonWhitelist
• SQLStatementsexecuteandalertadministrators
23
Select *.* from employee where id=22
Select *.* from employee where id=22 or 1=1Block✖
Allow✔
WhiteListApplica6ons
Detect&AlertIntrusionDetecGon
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthenGcaGon
24
• IntegratewithCentralizedAuthenGcaGonInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&Roles
• PAM(PluggableAuthenGcaGonModules)– Standardinterface(Unix,LDAP,Kerberos,others)– Windows
• AccessnaGveWindowsservice-UsetoAuthenGcateusersusingWindowsAcGveDirectoryortoanaGvehost
IntegratesMySQLwithexisGngsecurityinfrastructures
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEncrypGon• MySQLencrypGonfuncGons
– SymmetricencrypGonAES256(AllEdiGons)– Public-key/asymmetriccryptography–RSA
• KeymanagementfuncGons– Generatepublicandprivatekeys– Keyexchangemethods:DH
• SignandverifydatafuncGons– Cryptographichashingfordigitalsigning,verificaGon,&validaGon–RSA,DSA
25
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
DatabaseAudiGng
• “Trustbutverify"approachtosecurity– Ensureuserswithstrongprivilegesdon’tmisusethoseprivileges
• BusinessAudit–DataValidity– Here’sproofmydatabasedataisaccurate/correct– Provenotamperingtodatahasoccurred
• Forensicanalysis–asacomponentofanydefense-in-depthstrategy– ProacGve-Ambeing/Washacked– ReacGve–Howwerewehacked,whatwaschanged,taken,etc.
26
MaintaininganaudittrailisanessenGalsecuritybestpracGce
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAudit• Out-of-the-boxloggingofconnecGons,logins,andquery• Simpletofinegrainedpoliciesforfiltering,andlogrotaGon• Dynamicallyenabled,disabled:noserverrestart• XML-basedauditstream
– Senddatatoaremoteserver/auditdatavault• OracleAuditVault• Splunk,etc.
27
Adds“regulatorycompliance”
toMySQLapplicaGons(HIPAA,Sarbanes-Oxley,PCI,etc.)
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseBackup• OnlineBackupforInnoDB(scriptableinterface)• Full,Incremental,ParGalBackups(withcompression)• StrongEncrypGon(AES256)• PointinTime,Full,ParGalRecoveryopGons• Metadataonstatus,progress,history• Scales–HighPerformance/UnlimitedDatabaseSize• Windows,Linux,Unix• CerGfiedwithOracleSecureBackup,NetBackup,Tivoli,others
28
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseOracleCerGficaGons• OracleEnterpriseManagerforMySQL
• OracleLinux(w/DRBDstack)• OracleVM• OracleSolaris• OracleSolarisClustering• OracleClusterware
• OracleAuditVaultandDatabaseFirewall• OracleSecureBackup• OracleFusionMiddleware• OracleGoldenGate• MyOracleSupport
MySQLintegratesintoyourOracleenvironment
29
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAuditVaultandDatabaseFirewall• OracleDBFirewall
– Oracle,MySQL,SQLServer,IBMDB2,Sybase– AcGvityMonitoring&Logging– WhiteList,BlackList,ExcepGonList
• AuditVault– Built-inComplianceReports– Externalstorageforauditarchive
30
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
Hardware
Schema Changes Data Growth
Indexes
SQL
90%ofPerformanceProblems
SourceofDatabasePerformanceProblems
31
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
Hardware:ThePerfectMySQLServer
• Themorecoresthebeier(especiallyfor5.5andlater)• x86_64-64bitformorememoryisimportant– Themorethebeier
• FastHD(10-15kRPMSATA)orNAS/SAN……– RAID10formost,RAID5OKifveryreadintensive– HardwareRAIDbaierybackedupcachecriGcal!– Moredisksarealwaysbeier!-4+recommended,8-16canincreaseIO
• …OrSSD(forhigherthroughput)– Intel,Fusion-IOgoodchoices;goodopGonforSlaves• Atleast2xNICsforredundancy• SlavesshouldbeaspowerfulastheMaster
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|The World’s Most Popular Open Source Database Copyright 2010 Oracle
Schemas• Size=performance,smallerisbeier– Sizeright!DonotautomaGcallyuse255forVARCHAR• Temptables,mostcaches,expandtofullsize
• Use“procedureanalyse”todeterminetheopGmaltypesgiventhevaluesinyourtable– hip://dev.mysql.com/doc/refman/5.1/en/procedure-analyse.html– mysql>select*fromtabprocedureanalyse(64,2000)\G
• Considerthetypes:– enum:hip://dev.mysql.com/doc/refman/5.1/en/enum.html– set:hip://dev.mysql.com/doc/refman/5.1/en/set.html
• Compresslargestrings– UsetheMySQLCOMPRESSandUNCOMPRESSfuncGons
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|The World’s Most Popular Open Source Database Copyright 2010 Oracle
InnodbtuningInnoDB Buffer SizeInnoDB Log sizeQuery CacheTmpdir / datadirMyISAM
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLPerformanceSchema• IdenGfyperformanceboilenecks• IdenGfyproblemaGcqueries• GetrealGmeinsightintolocks• SeeexactlywhatishappeningwithinMySQL
• GetrealGmeinsightintoMySQLinternals
• GetrealGmeinsightintoqueryexecuGons
35
mysql>select*fromhost_summary_by_stages;+------+--------------------------------+-------+-----------+-----------+|host|event_name|total|wait_sum|wait_avg|+------+--------------------------------+-------+-----------+-----------+|hal|stage/sql/Openingtables|889|1.97ms|2.22us||hal|stage/sql/Creatingsortindex|4|1.79ms|446.30us||hal|stage/sql/init|10|312.27us|31.23us||hal|stage/sql/checkingpermissions|10|300.62us|30.06us||hal|stage/sql/freeingitems|5|85.89us|17.18us||hal|stage/sql/statistics|5|79.15us|15.83us||hal|stage/sql/preparing|5|69.12us|13.82us||hal|stage/sql/optimizing|5|53.11us|10.62us||hal|stage/sql/Sendingdata|5|44.66us|8.93us||hal|stage/sql/closingtables|5|37.54us|7.51us||hal|stage/sql/Systemlock|5|34.28us|6.86us||hal|stage/sql/queryend|5|24.37us|4.87us||hal|stage/sql/end|5|8.60us|1.72us||hal|stage/sql/Sortingresult|5|8.33us|1.67us||hal|stage/sql/executing|5|5.37us|1.07us||hal|stage/sql/cleaningup|5|4.60us|919.00ns|+------+--------------------------------+-------+-----------+-----------+
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PerformanceTes6ng–Howtomeasuresuccess
Monitoring–Makesureyouaremonitoringthecorrectmetrics
Availability
Useadecentquery
Logs
Logsfillingupdiskspace
Slowquerylogfillingspace
DiskSpace
Disksge_ngfullisthemostcommonproblem
Ideallyalarmonhowsoondiskspacechangesratherthanabsolutediskspace
36
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics
Stalls/Spikes
TableLocks
CPUSpikes
MemoryPaging
Connec6ons
Areyoureachingmax_connecGonslimit?
CantheapplicaGonconnect?
Processes
LongrunningProcesses
37
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics
Transac6onsLongrunningorlongidletransacGonsQueuedtransacGons(sizeoftransqueue)(showinnodbstatus)Replica6onIsReplicaGonrunningWhatsthereplicaGonlag
38
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
PerformanceTes6ng–HowtomeasuresuccessMonitoring–Makesureyouaremonitoringthecorrectmetrics
QueryPerformanceTopQueriestoopGmise–(interacGvemonitornotgeneratealertson)ResponseGmeoutliersQueriesnotusingindexQueriesusingfull/parGalscans/tablescansQueriesthatreturnerrors/warningOpera6onalAspectsServerrestartsServerconfigchangeeventsMessagesintheerrorLog
39
Copyright©2014,Oracleand/oritsaffiliates.Allrightsreserved.|
ThankYou
Recommended