Click here to load reader

Securing MySQL with a Focus on SSL

  • View
    14

  • Download
    1

Embed Size (px)

DESCRIPTION

View slides from Chris Conlon's presentation about securing MySQL - including an intro to SSL/TLS, MySQL settings and best practices when using SSL/TLS, and performance statistics for MySQL SSL usage. To learn more about yaSSL products or the CyaSSL embedded SSL library, visit www.wolfssl.com.

Text of Securing MySQL with a Focus on SSL

  • http://www.yassl.com(206) 369-4800

    Securing MySQL!With a Focus on SSL

  • yaSSL (yet another SSL)

    Founded: 2004 Location: Bozeman, MT

    Seattle, WA Portland, OR

    Our Focus: Open Source Embedded Security

    (for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL

    - yaSSL Embedded Web Server

    Copyright 2012 yaSSLSlide 2 / 69

  • Why is this Important?

    Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com

    Alexa Top 1M Sites

    120,000 Use SSL (12%)

    Copyright 2012 yaSSL

    Alexa Top 1M Use SSL 12%

    Slide 3 / 69

  • What are we going to talk about?

    Part I: MySQL Security

    1. Good Security Practices for MySQL Part II: SSL/TLS

    1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison

    Part III: Additional Security Concerns

    1. Data Storage and Encryption Part IV: Wrap-Up

    1. Licensing

    Copyright 2012 yaSSLSlide 4 / 69

  • Part I MySQL Security

    Copyright 2012 yaSSL

    MySQL Updates Account Passwords Test Databases mysqld Privileges

    Slide 5 / 69

  • MySQL: Good Security Practices

    Do we really need to secure our MySQL database?

    YES!

    Copyright 2012 yaSSL

    MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities

    Slide 6 / 69

  • MySQL: Good Security Practices

    Keeping MySQL Up to Date

    An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates

    Copyright 2012 yaSSLSlide 7 / 69

  • MySQL: Good Security Practices

    Copyright 2012 yaSSL

    3

    6

    8

    5

    9

    11

    14

    10

    6

    7

    6

    16

    'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov)

    2000

    2001

    2002

    2003

    2004

    2005

    2006

    2007

    2008

    2009

    2010

    2011

    Slide 8 / 69

  • MySQL: Good Security Practices

    yaSSL Vulnerabilities affecting MySQL in the past:

    CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible

    Copyright 2012 yaSSLSlide 9 / 69

  • Passwords: Root Accounts They are empty by default

    Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good) shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;

    MySQL: Good Security Practices

    Copyright 2012 yaSSLSlide 10 / 69

  • MySQL: Good Security Practices

    Passwords: Anonymous Accounts

    Assign passwords to anonymous accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES; Or remove the accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';

    Copyright 2012 yaSSLSlide 11 / 69

  • MySQL: Good Security Practices

    Passwords: Strength is Key Use strong passwords

    Combine letters and numbers mhallwltpic++ = "mary had a little lamb who liked to program in C++ uuidgen, pwgen tools

    Copyright 2012 yaSSLSlide 12 / 69

  • MySQL: Good Security Practices

    Securing Test Databases By default, anyone can access test databases

    - Convenient for testing - not production Delete databases or restrict privileges

    shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;

    Copyright 2012 yaSSLSlide 13 / 69

  • MySQL: Good Security Practices

    Securing mysqld Don't run MySQL as root user

    shell> mysqld --user=mysql Disable Remote Access (--skip-networking)

    - Only allows access from local machine

    Copyright 2012 yaSSLSlide 14 / 69

  • MySQL: Good Security Practices

    mysql_secure_installation script Allows you to: Set a password for root account Remove root accounts that are accessible from outside of the local host Remove anonymous user accounts Remove the test database that can be accessed from all users Reload privilege tables so that above take effect

    * Not available on Windows

    Copyright 2012 yaSSLSlide 15 / 69

  • MySQL: Good Security Practices

    Notes about Privileges Don't grant all users PROCESS or SUPER privilege

    Can see text of currently-executing queries ( SHOW processlist; ) Don't grant all users the FILE privilege

    Enables reading/writing to file system wherever mysqld process has access

    Copyright 2012 yaSSLSlide 16 / 69

  • MySQL: Good Security Practices

    Additional Measures These depend on your unique situation: Restrict access to log files

    - Ensure only root and the mysqld user can access

    Restrict MySQL data directory access only to server account

    Copyright 2012 yaSSL

    logfiles

    Slide 17 / 69

  • MySQL: Good Security Practices

    Additional Measures

    Add Application-specific Users - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)

    Restrict where MySQL listens

    - You might only need to listen on localhost --bind-address=127.0.0.1

    Copyright 2012 yaSSLSlide 18 / 69

  • MySQL: Good Security Practices

    Additional Measures Can disable LOAD DATA LOCAL INFILE command

    - Can allow reading of local files

    Remove Content of MySQL History File

    - All executed SQL commands are stored

    cat /dev/null > ~/.mysql_history

    Copyright 2012 yaSSLSlide 19 / 69

  • Part II SSL / TLS

    Copyright 2012 yaSSL

    Overview X.509 CerRcates Handshake MySQL and SSL

    Slide 20 / 69

  • SSL: What is it?

    By default, MySQL uses unencrypted connections between the client and server!

    Copyright 2012 yaSSLSlide 21 / 69

  • SSL: What is it?

    Enables secure client/server communication, including:

    Can be implemented on almost any operating system (or bare metal!)

    Copyright 2012 yaSSL

    Privacy + Prevent eavesdropping Authen1ca1on + Prevent impersonaRon Integrity + Prevent modicaRon

    Slide 22 / 69

  • SSL: Where does it fit?

    - Layered between Transport and Application layers:

    Copyright 2012 yaSSL

    Network Access

    IP

    TCP

    SSL Record Layer

    SSL Handshake

    Protocol

    SSL Change Cipher Spec

    ProtocolSSL Alert Protocol HTTP

    LDAP, etc. HTTP SMTP, etc.

    Protocols Secured by SSL/TLS

    Network Layer

    Internet Layer

    Transport Layer

    Application Layer

    Slide 23 / 69

  • SSL: Authentication

    - Do you really know who youre communicating with?

    Copyright 2012 yaSSL

    ??

    Alice Bob

    Slide 24 / 69

  • SSL: Authentication

    - Generate a key pair (private and public keys)

    Copyright 2012 yaSSL

    Alice Bob

    Private Private Public Public

    Slide 25 / 69

  • SSL: Authentication

    - X.509 Certificate == Wrapper around public key

    Copyright 2012 yaSSL

    X509Cert

    Alice Bob

    Private Private Public Public X509Cert

    Slide 26 / 69

  • SSL: X.509 Certificates

    Copyright 2012 yaSSL

    X509Cert

    -----BEGIN CERTIFICATE-----!MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!J5HHJteFZcChgZSkgZEwgY4xCzAJB

Search related