Upload
wolfssl
View
30
Download
1
Embed Size (px)
DESCRIPTION
View slides from Chris Conlon's presentation about securing MySQL - including an intro to SSL/TLS, MySQL settings and best practices when using SSL/TLS, and performance statistics for MySQL SSL usage. To learn more about yaSSL products or the CyaSSL embedded SSL library, visit www.wolfssl.com.
Citation preview
http://www.yassl.com (206) 369-4800
Securing MySQL!With a Focus on SSL
yaSSL (yet another SSL)
Founded: 2004 Location: Bozeman, MT
Seattle, WA Portland, OR
Our Focus: Open Source Embedded Security
(for Applications, Devices, and the Cloud) Products: - CyaSSL, yaSSL
- yaSSL Embedded Web Server
© Copyright 2012 yaSSL Slide 2 / 69
Why is this Important?
Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com
• Alexa Top 1M Sites
120,000 Use SSL (12%)
© Copyright 2012 yaSSL
Alexa Top 1M Use SSL – 12%
Slide 3 / 69
What are we going to talk about?
Part I: MySQL Security
1. Good Security Practices for MySQL Part II: SSL/TLS
1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption Part IV: Wrap-Up
1. Licensing
© Copyright 2012 yaSSL Slide 4 / 69
Part I MySQL Security
© Copyright 2012 yaSSL
MySQL Updates Account Passwords Test Databases mysqld Privileges
Slide 5 / 69
MySQL: Good Security Practices
Do we really need to secure our MySQL database?
YES!
© Copyright 2012 yaSSL
MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities
Slide 6 / 69
MySQL: Good Security Practices
Keeping MySQL Up to Date
An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates
© Copyright 2012 yaSSL Slide 7 / 69
MySQL: Good Security Practices
© Copyright 2012 yaSSL
3
6
8
5
9
11
14
10
6
7
6
16
'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov)
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Slide 8 / 69
MySQL: Good Security Practices
• yaSSL Vulnerabilities affecting MySQL in the past:
CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible
© Copyright 2012 yaSSL Slide 9 / 69
Passwords: Root Accounts • They are empty by default
Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good) shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;
MySQL: Good Security Practices
© Copyright 2012 yaSSL Slide 10 / 69
MySQL: Good Security Practices
Passwords: Anonymous Accounts
Assign passwords to anonymous accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES; Or remove the accounts: shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';
© Copyright 2012 yaSSL Slide 11 / 69
MySQL: Good Security Practices
Passwords: Strength is Key Use strong passwords
• Combine letters and numbers • mhallwltpic++ = "mary had a little lamb who liked to program in C++” • uuidgen, pwgen tools
© Copyright 2012 yaSSL Slide 12 / 69
MySQL: Good Security Practices
Securing Test Databases • By default, anyone can access test databases
- Convenient for testing - not production • Delete databases or restrict privileges
shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;
© Copyright 2012 yaSSL Slide 13 / 69
MySQL: Good Security Practices
Securing mysqld • Don't run MySQL as root user
shell> mysqld --user=mysql • Disable Remote Access (--skip-networking)
- Only allows access from local machine
© Copyright 2012 yaSSL Slide 14 / 69
MySQL: Good Security Practices
mysql_secure_installation script Allows you to: • Set a password for root account • Remove root accounts that are accessible from outside of the local host • Remove anonymous user accounts • Remove the test database that can be accessed from all users • Reload privilege tables so that above take effect
* Not available on Windows
© Copyright 2012 yaSSL Slide 15 / 69
MySQL: Good Security Practices
Notes about Privileges • Don't grant all users PROCESS or SUPER privilege
– Can see text of currently-executing queries ( SHOW processlist; ) • Don't grant all users the FILE privilege
– Enables reading/writing to file system wherever mysqld process has access
© Copyright 2012 yaSSL Slide 16 / 69
MySQL: Good Security Practices
Additional Measures These depend on your unique situation: • Restrict access to log files
- Ensure only ‘root’ and the mysqld user can access
• Restrict MySQL data directory access only to server account
© Copyright 2012 yaSSL
logfiles
Slide 17 / 69
MySQL: Good Security Practices
Additional Measures
• Add Application-specific Users - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)
• Restrict where MySQL listens
- You might only need to listen on localhost --bind-address=127.0.0.1
© Copyright 2012 yaSSL Slide 18 / 69
MySQL: Good Security Practices
Additional Measures • Can disable LOAD DATA LOCAL INFILE command
- Can allow reading of local files
• Remove Content of MySQL History File
- All executed SQL commands are stored
cat /dev/null > ~/.mysql_history
© Copyright 2012 yaSSL Slide 19 / 69
Part II SSL / TLS
© Copyright 2012 yaSSL
Overview X.509 CerRficates Handshake MySQL and SSL
Slide 20 / 69
SSL: What is it?
By default, MySQL uses unencrypted connections between the client and server!
© Copyright 2012 yaSSL Slide 21 / 69
SSL: What is it?
• Enables secure client/server communication, including:
• Can be implemented on almost any operating system (or bare metal!)
© Copyright 2012 yaSSL
Privacy + Prevent eavesdropping Authen1ca1on + Prevent impersonaRon Integrity + Prevent modificaRon
Slide 22 / 69
SSL: Where does it fit?
- Layered between Transport and Application layers:
© Copyright 2012 yaSSL
Network Access
IP
TCP
SSL Record Layer
SSL Handshake
Protocol
SSL Change Cipher Spec
ProtocolSSL Alert Protocol HTTP LDAP,
etc.HTTP SMTP,
etc.
Protocols Secured by SSL/TLS
Network Layer
Internet Layer
Transport Layer
Application Layer
Slide 23 / 69
SSL: Authentication
- Do you really know who you’re communicating with?
© Copyright 2012 yaSSL
??
Alice Bob
Slide 24 / 69
SSL: Authentication
- Generate a key pair (private and public keys)
© Copyright 2012 yaSSL
Alice Bob
Private Private Public Public
Slide 25 / 69
SSL: Authentication
- X.509 Certificate == Wrapper around public key
© Copyright 2012 yaSSL
X509Cert
Alice Bob
Private Private Public Public X509Cert
Slide 26 / 69
SSL: X.509 Certificates
© Copyright 2012 yaSSL
X509Cert
-----BEGIN CERTIFICATE-----!MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD!VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG!A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu!
eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw!MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE!
CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS!BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ!KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP!
ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE!ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk!
NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+!v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/!eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw!
Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU!M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w!J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x!
ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv!Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW!
DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG!9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe!4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q!
P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR!/+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO!
/eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua!cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==!-----END CERTIFICATE-----!
Slide 27 / 69
SSL: X.509 Certificates
© Copyright 2012 yaSSL
X509Cert
Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/[email protected]! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/[email protected]! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 …!
! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/[email protected]! serial:87:4A:75:BE:91:66:D8:3D!! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! … 1c:7c:42:81:29:9e:21:cf:d0:d8!
Slide 28 / 69
SSL: Authentication
- Alice and Bob exchange CA-signed public keys
© Copyright 2012 yaSSL
X509CertCA
X509CertCA
Alice Bob
Private Private Public Public
Slide 29 / 69
SSL: Authentication
- How do you get a CA-signed cert?
© Copyright 2012 yaSSL
Buy VeriSign, DigiCert, Comodo, etc. - Costs $$$ - Trusted
Create Created yourself (self-sign) - Free! - Trusted (if you control both sides)
Slide 30 / 69
SSL: Encryption
- Uses a variety of encryption algorithms to secure data
© Copyright 2012 yaSSL
Hashing Func1ons Block and Stream Ciphers Public Key Op1ons
MD4, MD5, SHA … DES, 3DES, AES, ARC4 …
RSA, DSA, DSS …
CIPHER SUITE
Slide 31 / 69
SSL: Encryption
- A common CIPHER SUITE is negotiated
© Copyright 2012 yaSSL
Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth
SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Slide 32 / 69
SSL: Handshake
© Copyright 2012 yaSSL
Client Hello
Cryptographic Info(SSL version, supported ciphers, etc.)
Client Server
Server HelloCipher SuiteServer CertificateServer Key Exchange (public key)( Client Certificate Request )Server Hello Done
Client Key Exchange
( Certificate Verify )( Client Certificate )
Change Cipher Spec
Client Finished
Change Cipher Spec
Server Finished
Exchange Messages (Encrypted)
1
23
45
6
7
8
Verify server cert,check cryptoparameters
Verify client cert(if required)
Slide 33 / 69
SSL: Where is it used?
SSL is Everywhere!
- Browsers - Email - Routers - Factory Automation - VoIP - Automobile Communications - Sensors - Smart Power Meters
And much more!!
© Copyright 2012 yaSSL Slide 34 / 69
SSL: What does MySQL provide?
- Your system must support either OpenSSL or yaSSL - MySQL must be built with SSL support Note: MySQL is bundled with yaSSL
© Copyright 2012 yaSSL Slide 35 / 69
MySQL: Is SSL Enabled?
Checking for SSL • Confirm that user in 'mysql' database includes SSL-related columns: - Beginning with: ssl_, x509_ • Check if binary is compiled with SSL support: shell> mysqld --ssl --help 060525 14:18:52 [ERROR] mysqld: unknown option '--ssl' • mysqld: Check for 'have_ssl' system variable
© Copyright 2012 yaSSL Slide 36 / 69
MySQL: Building with SSL
Configure MySQL to use the built-in SSL (yaSSL): shell> cmake . -DWITH_SSL=bundled -DWITH_SSL options: no: No SSL support (default) yes: Use system SSL library if present, else bundled library bundled: SSL library bundled with MySQL (yaSSL) system: Use the system SSL library ** yaSSL on Unix requires /dev/urandom and /dev/random to be available
© Copyright 2012 yaSSL Slide 37 / 69
MySQL: Starting the Server
To allow client connections through SSL, start MySQL with the appropriate options: shell> mysqld_safe --user=mysql \ --ssl-ca=ca-cert.pem \ --ssl-cert=server-cert.pem \ --ssl-key=server-key.pem --ssl-ca: Identifies the certificate authority certificate --ssl-cert: identifies the server certificate (public key) --ssl-key: identifies the server private key
© Copyright 2012 yaSSL Slide 38 / 69
MySQL: Starting the Client
I. Account created with GRANT statement including REQUIRE_SSL: shell> mysql -u user -p --ssl-ca=ca-cert.pem II. Account created with REQUIRE_X509 in addition: shell> mysql -u user -p --ssl-ca=ca-cert.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem
© Copyright 2012 yaSSL Slide 39 / 69
MySQL: SSL Options
© Copyright 2012 yaSSL
Name Cmd-‐Line Op1on File System Var Var Scope Dynamic
have_openssl Yes Global No have_ssl Yes Global No skip-‐ssl Yes Yes ssl Yes Yes ssl-‐ca Yes Yes Global No ssl-‐capath Yes Yes Global No ssl-‐cert Yes Yes Global No ssl-‐cipher Yes Yes Global No ssl-‐key Yes Yes Global No
ssl-‐verify-‐server-‐cert Yes Yes
hap://dev.mysql.com/doc/refman/5.5/en/ssl-‐opRons.html
Slide 40 / 69
MySQL: SSL Options
have_openssl have_ssl
YES = mysqld supports SSL connections DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)
Check: SHOW VARIABLES LIKE 'have%ssl';
© Copyright 2012 yaSSL Slide 41 / 69
MySQL: SSL Options
skip-ssl
Indicate that SSL should not be used Same as using --ssl=0
ssl
Server: Specifies that the server permits SSL connections Client: Permits a client to connect to server using SSL
© Copyright 2012 yaSSL Slide 42 / 69
MySQL: SSL Options
ssl-ca
The path to the file containing list of trusted CAs ssl-capath
The path to a directory containing trusted CAs (PEM format)
*NOTE: Only supported when using OpenSSL
© Copyright 2012 yaSSL Slide 43 / 69
MySQL: SSL Options
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL
--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
© Copyright 2012 yaSSL Slide 44 / 69
MySQL: SSL Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only - Server's Common Name verified against server host name - Connection rejected if no match
© Copyright 2012 yaSSL Slide 45 / 69
SSL: Certificate Creation
A. Generating Certificates 1. Create CA certificate (private key, public cert) 2. Create server key 3. Create server certificate 4. Create client key 5. Create client certificate
© Copyright 2012 yaSSL Slide 46 / 69
SSL: Certificate Creation
A. Generating Certificates Create CA certificate (private key, public cert) shell> openssl genrsa 2048 > ca-key.pem shell> openssl req -new -x509 -nodes -days 1000 \ -key ca-key.pem > ca-cert.pem
© Copyright 2012 yaSSL Slide 47 / 69
SSL: Certificate Creation
A. Generating Certificates Create server key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout server-key.pem > server-req.pem shell> openssl x509 -req -in server-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
© Copyright 2012 yaSSL Slide 48 / 69
SSL: Certificate Creation
A. Generating Certificates Create client key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout client-key.pem > client-req.pem shell> openssl x509 -req -in client-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
© Copyright 2012 yaSSL Slide 49 / 69
SSL: Certificate Creation
A. Generating Certificates Remove passphrase from client/server key: shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem
© Copyright 2012 yaSSL Slide 50 / 69
MySQL: SSL Performance
Test Machine MacBook Pro 2.33 GHz 2 GB 667 MHz DDR2 SDRAM Mac OS X 10.6.6 (Snow Leopard)
© Copyright 2012 yaSSL Slide 51 / 69
MySQL: SSL Performance
Footprint Size
© Copyright 2012 yaSSL Slide 52 / 69
MySQL: SSL Performance
Command: du -sh . Result: 5.3% Difference (12 Mb)
© Copyright 2012 yaSSL
239 227
0
50
100
150
200
250
300
Size (M
b)
MySQL Footprint Size SSL vs. No SSL
SSL No SSL
Slide 53 / 69
MySQL: SSL Performance
Command: du -sh *
© Copyright 2012 yaSSL
86
13
79
9.2
0
10
20
30
40
50
60
70
80
90
100
bin lib
Size (M
b)
MySQL Footprint Comparison (Detail) SSL vs. No SSL
SSL No SSL
Slide 54 / 69
MySQL: SSL Performance
Average Query Times
(SELECT Queries, sysbench)
© Copyright 2012 yaSSL Slide 55 / 69
MySQL: SSL Performance
© Copyright 2012 yaSSL
0
0.5
1
1.5
2
2.5
3
3.5
0 5 10 15 20 25 30 35
Average Que
ry Tim
e (m
s)
Concurrency (# of Client Connec1ons)
MySQL Average SELECT Query Times No SSL vs. SSL
100,000 Requests sysbench
No SSL
SSL
Slide 56 / 69
MySQL: SSL Performance
© Copyright 2012 yaSSL
0.1 0.1 0.21
0.65
1.33
2.67
0.14 0.14 0.29
0.76
1.62
3.32
1 2 4 8 16 32 Concurrency (# of Client Connec1ons)
MySQL Average SELECT Query Times (ms) No SSL vs. SSL
100,000 Requests sysbench
No SSL SSL
Slide 57 / 69
0.65
0.76
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Average Que
ry Tim
e (m
s)
Client Concurrency = 8
MySQL Average SELECT Query Times No SSL vs. SSL
100,000 Requests sysbench
No SSL SSL
MySQL: SSL Performance
16.9% Difference (0.11 ms)
© Copyright 2012 yaSSL Slide 58 / 69
Part III Additional Security
Concerns
© Copyright 2012 yaSSL
Data EncrypRon
Slide 59 / 69
Data Storage and Encryption
Client Side Encryption • Encrypt data in code before it is passed to MySQL • Many encryption modules available (PHP, Perl, etc.)
Advantages • Data encrypted between code & MySQL • Allows the use of bin logging (MySQL backup/replication)
Disadvantages • What to do with the key?
© Copyright 2012 yaSSL Slide 60 / 69
Data Storage and Encryption
Server Side Encryption • AES_ENCRYPT(), AES_DECRYPT() functions
- AES-128 Default - AES-256 w/ source-code change • Entire Disk Encryption
• Transparent Data Encryption (Gazzang ezNcrypt)
© Copyright 2012 yaSSL Slide 61 / 69
Data Storage and Encryption
Gazzang ezNcrypt • ezNcrypt sits between your storage engine and file system to encrypt your data before
it hits the disk.
• TradiRonally called -‐ Transparent Data EncrypRon (TDE) – The data is encrypted transparently, no changes are needed to your applicaRon,
code or MySQL.
© Copyright 2012 yaSSL
Table Orders 20090101,4307
Applica1on SQL “insert into orders (number, credit card,….) Values (20090101,4307,…)”
File System orders.myd 9f7c7d77a877fg8e78s09ab
Slide 62 / 69
Data Storage and Encryption
Gazzang ezNcrypt
• Gazzang Key Storage System (KSS)
© Copyright 2012 yaSSL Slide 63 / 69
Data Storage and Encryption
Server Side Encryption Advantages: • Data is stored encrypted • Easy to use
Disadvantages: • bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
• What to do with the key?
© Copyright 2012 yaSSL Slide 64 / 69
Part IV Wrap-Up
© Copyright 2012 yaSSL
Licensing Concerns About yaSSL
Slide 65 / 69
Licensing Concerns
yaSSL vs. OpenSSL - OpenSSL uses BSD-style license with announcement clause - Makes it incompatible with GPL - yaSSL = dual licensed (GPL, Commercial)
© Copyright 2012 yaSSL Slide 66 / 69
What did we cover?
Part I: MySQL Security
1. Good Security Practices for MySQL Part II: SSL/TLS
1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption
© Copyright 2012 yaSSL Slide 67 / 69
http://www.yassl.com
Email: [email protected] Phone: (206) 369-‐4800
Thanks!
© Copyright 2012 yaSSL Slide 68 / 69
Helpful Sources
MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html
MySQL Security Resources around the Internet
http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS
https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security
© Copyright 2012 yaSSL Slide 69 / 69