Click here to load reader
View
14
Download
1
Embed Size (px)
DESCRIPTION
View slides from Chris Conlon's presentation about securing MySQL - including an intro to SSL/TLS, MySQL settings and best practices when using SSL/TLS, and performance statistics for MySQL SSL usage. To learn more about yaSSL products or the CyaSSL embedded SSL library, visit www.wolfssl.com.
http://www.yassl.com(206) 369-4800
Securing MySQL!With a Focus on SSL
yaSSL (yet another SSL)
Founded: 2004 Location: Bozeman, MT
Seattle, WA Portland, OR
Our Focus: Open Source Embedded Security
(for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL
- yaSSL Embedded Web Server
Copyright 2012 yaSSLSlide 2 / 69
Why is this Important?
Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com
Alexa Top 1M Sites
120,000 Use SSL (12%)
Copyright 2012 yaSSL
Alexa Top 1M Use SSL 12%
Slide 3 / 69
What are we going to talk about?
Part I: MySQL Security
1. Good Security Practices for MySQL Part II: SSL/TLS
1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption Part IV: Wrap-Up
1. Licensing
Copyright 2012 yaSSLSlide 4 / 69
Part I MySQL Security
Copyright 2012 yaSSL
MySQL Updates Account Passwords Test Databases mysqld Privileges
Slide 5 / 69
MySQL: Good Security Practices
Do we really need to secure our MySQL database?
YES!
Copyright 2012 yaSSL
MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities
Slide 6 / 69
MySQL: Good Security Practices
Keeping MySQL Up to Date
An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates
Copyright 2012 yaSSLSlide 7 / 69
MySQL: Good Security Practices
Copyright 2012 yaSSL
3
6
8
5
9
11
14
10
6
7
6
16
'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov)
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Slide 8 / 69
MySQL: Good Security Practices
yaSSL Vulnerabilities affecting MySQL in the past:
CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible
Copyright 2012 yaSSLSlide 9 / 69
Passwords: Root Accounts They are empty by default
Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good) shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;
MySQL: Good Security Practices
Copyright 2012 yaSSLSlide 10 / 69
MySQL: Good Security Practices
Passwords: Anonymous Accounts
Assign passwords to anonymous accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES; Or remove the accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';
Copyright 2012 yaSSLSlide 11 / 69
MySQL: Good Security Practices
Passwords: Strength is Key Use strong passwords
Combine letters and numbers mhallwltpic++ = "mary had a little lamb who liked to program in C++ uuidgen, pwgen tools
Copyright 2012 yaSSLSlide 12 / 69
MySQL: Good Security Practices
Securing Test Databases By default, anyone can access test databases
- Convenient for testing - not production Delete databases or restrict privileges
shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;
Copyright 2012 yaSSLSlide 13 / 69
MySQL: Good Security Practices
Securing mysqld Don't run MySQL as root user
shell> mysqld --user=mysql Disable Remote Access (--skip-networking)
- Only allows access from local machine
Copyright 2012 yaSSLSlide 14 / 69
MySQL: Good Security Practices
mysql_secure_installation script Allows you to: Set a password for root account Remove root accounts that are accessible from outside of the local host Remove anonymous user accounts Remove the test database that can be accessed from all users Reload privilege tables so that above take effect
* Not available on Windows
Copyright 2012 yaSSLSlide 15 / 69
MySQL: Good Security Practices
Notes about Privileges Don't grant all users PROCESS or SUPER privilege
Can see text of currently-executing queries ( SHOW processlist; ) Don't grant all users the FILE privilege
Enables reading/writing to file system wherever mysqld process has access
Copyright 2012 yaSSLSlide 16 / 69
MySQL: Good Security Practices
Additional Measures These depend on your unique situation: Restrict access to log files
- Ensure only root and the mysqld user can access
Restrict MySQL data directory access only to server account
Copyright 2012 yaSSL
logfiles
Slide 17 / 69
MySQL: Good Security Practices
Additional Measures
Add Application-specific Users - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)
Restrict where MySQL listens
- You might only need to listen on localhost --bind-address=127.0.0.1
Copyright 2012 yaSSLSlide 18 / 69
MySQL: Good Security Practices
Additional Measures Can disable LOAD DATA LOCAL INFILE command
- Can allow reading of local files
Remove Content of MySQL History File
- All executed SQL commands are stored
cat /dev/null > ~/.mysql_history
Copyright 2012 yaSSLSlide 19 / 69
Part II SSL / TLS
Copyright 2012 yaSSL
Overview X.509 CerRcates Handshake MySQL and SSL
Slide 20 / 69
SSL: What is it?
By default, MySQL uses unencrypted connections between the client and server!
Copyright 2012 yaSSLSlide 21 / 69
SSL: What is it?
Enables secure client/server communication, including:
Can be implemented on almost any operating system (or bare metal!)
Copyright 2012 yaSSL
Privacy + Prevent eavesdropping Authen1ca1on + Prevent impersonaRon Integrity + Prevent modicaRon
Slide 22 / 69
SSL: Where does it fit?
- Layered between Transport and Application layers:
Copyright 2012 yaSSL
Network Access
IP
TCP
SSL Record Layer
SSL Handshake
Protocol
SSL Change Cipher Spec
ProtocolSSL Alert Protocol HTTP
LDAP, etc. HTTP SMTP, etc.
Protocols Secured by SSL/TLS
Network Layer
Internet Layer
Transport Layer
Application Layer
Slide 23 / 69
SSL: Authentication
- Do you really know who youre communicating with?
Copyright 2012 yaSSL
??
Alice Bob
Slide 24 / 69
SSL: Authentication
- Generate a key pair (private and public keys)
Copyright 2012 yaSSL
Alice Bob
Private Private Public Public
Slide 25 / 69
SSL: Authentication
- X.509 Certificate == Wrapper around public key
Copyright 2012 yaSSL
X509Cert
Alice Bob
Private Private Public Public X509Cert
Slide 26 / 69
SSL: X.509 Certificates
Copyright 2012 yaSSL
X509Cert
-----BEGIN CERTIFICATE-----!MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!J5HHJteFZcChgZSkgZEwgY4xCzAJB