Professional Documents
Culture Documents
Carsten Thalheimer
Oracle MySQL GBU
Software
All software is available for 30days evaluation without obligation from here:
MySQL: http://edelivery.oracle.com
Linux/OVM: http://edelivery.oracle.com/linux
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 3
Mega Breaches
77%
552 Million identities Web sites with vulnerabilities.
exposed in 2013. 493% 1-in-8 of all websites had a
increase over previous year critical vulnerability.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 5
Target Breach, 2013, $270 million
The hackers who committed the Target breach took 40 million credit
and debit card numbers and 70 million records, including names and
addresses of shoppers.
Source: Fortune.com, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 6
Database Vulnerabilities
• Poor Configurations • Lack of Encryption
– Set controls and change default – Data, Back, & Network Encryption
setting • Proper Credential or Key Management
• Over Privileged Accounts – Use mysql_config_editor , Key Vaults
– Privilege Policies • Unsecured Backups
• Weak Access Control – Encrypted Backups
– Dedicated Administrative Accounts • No Monitoring
• Weak Authentication – Security Monitoring, Users, Objects
– Strong Password Enforcement • Poorly Coded Applications
• Weak Auditing – Database Firewall
– Compliance & Audit Policies
https://www.mysql.com/why-mysql/white-papers/mysql-pci-data-security-compliance/
Authorization
Firewall
Auditing
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 12
MySQL Security Overview
MySQL Privilege Management
Linux / LDAP Administration
Windows AD Database & Objects
Custom Authentication Authorization Proxy Users
Security
Firewall &
SSL/TLS Encryption Block Threats
Auditing
Public Key Auditing
Private Key Regulatory Compliance
Digital Signatures Login and Query Activities
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 13
MySQL Authorization
• Administrative Privileges
• Database Privileges
• Session Limits and Object Privileges Security Privilege Management in MySQL Workbench
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 16
MySQL Authentication
• Built in Authentication
– user table stores users and encrypted passwords
• X.509
– Server authenticates client certificates
• MySQL Native, SHA 256 Password plugin
– Native uses SHA1 or plugin with SHA-256 hashing and per user salting for user account passwords.
• MySQL Enterprise Authentication
– Microsoft Active Directory
– Linux PAMs (Pluggable Authentication Modules)
• Support LDAP and more
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 23
MySQL Database Hardening: Installation
• MySQL_Secure_Installation / MySQL Installer for Windows
– Set a strong password for root account
– Remove root accounts that are accessible from outside the local host
– Remove anonymous-user accounts
– Remove the test database
• Which by default can be accessed by all users
• Including Anonymous Users
• Keep MySQL up to date
– Repos – YUM/APT/SUSE
– MySQL Installer for Windows
MySQL Installer for Windows includes various Security Setup and Hardening Steps
Performance
Security
Availability
MySQL Instance
Internet
Firewall
Allows In Whitelist
Web Normal ALLOW
Applications SQL Table
Inbound
Table
SQL traffic Results
Not In Whitelist Table
Blocks BLOCK
SQL
Attacks
– PROTECTING
– OFF
MySQL
“This is a secret” Encryption #@%@&# Decryption “This is a secret”
Could be
From Client App
Within MySQL (function call)
Private Key
Public Key (It can decrypt)
(It only encrypts)
MySQL
MySQL