Transcript Database Security

Database Security
David Nguyen
Dangers of Internet
 Web based applications open up new threats
to a corporation security
 Protection of information is critical to
success of a business
Analyzing the threat
 Internet access
 Port access
 Server access
 Network access
Internet access
 If hackers can guess the IP address of a
server, they can telnet to the server and get a
login prompt. At this point, all they need is
a user ID and password to gain access to the
server
Port access
 All Web applications are configured to
listen on a predefined port for incoming
connections, and they generally use a
listener daemon process to poll for
connections.
Server access
 A four-tiered Web application incorporates a
series of Web servers, application servers,
and database servers. Each of these servers
presents a potential point of entry, and if
remote shell access is enabled, a hacker that
gets access to a single database may get
access to many servers.
Network access
 OracleNet, as an example, allows for
incoming connect strings to the Oracle
listener process. If hackers know the port, IP
address, Oracle ID, and password, they can
gain direct access to the database.
Countermeasures
 Restricting server access
 Server account disabling
 Trusted IP addresses
 Restricting database access
 Authentication of users
Restricting server access
 Some companies use domain servers to
restrict server access to specified users.
However, hackers still might intercept user
IDs and passwords. To prevent this, many
companies employ tools that utilise secure
shell (ssh) technologies to encrypt external
Internet communications.
Trusted IP addresses
 UNIX servers are configured to answer only
pings from a list of “trusted” hosts. In
UNIX, one can restrict server access to a list
of specific users
Server account disabling
 If you suspend the server ID after three
password attempts, attackers are thwarted.
Without user ID suspension, an attacker can
run a program that generates millions of
passwords until it guesses the user ID and
password combination.
Authentication of users
 Kerberos security
 Virtual private databases
 Role-based security
 Grant-execute security
 Port access security
Kerberos security
 Kerberos is a network authentication
protocol. It is designed to provide strong
authentication for client/server applications
by using secret-key cryptography
Virtual private databases
 VPD technology can restrict access to
selected rows of tables
Role-based security
 Object privileges can be grouped into roles,
which can then be assigned to specific users
Grant-execute security
 Execution privileges on procedures can be
tightly coupled to users. When a user
executes the procedures, they gain database
access, but only within the scope of the
procedure
Port access security
 All Oracle applications are directed to listen
at a specific port number on the server. Like
any standard HTTP server, the Oracle Web
Listener can be configured to restrict access
Conclusion
 Allowing outside access to critical
applications creates vulnerabilities to a
company’s security
 These threats need to be dealt with due to
the importance of the information