Implementing Database Security and Auditing phần 8 ppt

Encryption does not come in place of a secure database environment and is not a panacea; you should always doyour utmost to create a secure database environment and use encryption tohelp

290 9.7 Monitor and audit job creation and scheduling

options is the Event Monitors folder, which lists all event monitors definedand shows their status as part of the tabular pane on the right In reviewingthis pane I can see that I have only one event monitor—and in this casethat’s what I expect

Manually inspecting event monitors and traces can become tediousand is not sustainable in the long run Therefore, you should either revert

to real-time monitoring of event monitor and trace creation or at leastperiodically audit them and compare activity with a baseline For theexample shown in Figure 9.10, you can set a baseline that defines that theSAMPLE database has only one event monitor with the specificationsshown in Figure 9.10 You can then define an automated procedure thatwill query the event monitors in your database every day and alert youwhen the list has changed

When a Trojan is injected into your database to collect information to beused by an attacker, the attacker can either connect into the database orhave the Trojan deliver the information to the attacker If a connection ismade to the database, you can resort to methods you have already seen formonitoring and blocking rogue database connections If the Trojan is alsoresponsible for delivering the information, you need to monitor jobs thatare running in the database

The delivery of the stolen data may be external to the database Forexample, a Trojan can write the information to a file where the deliverymechanism is based on other programs, such as FTP, e-mails, and so on.While you can monitor activities at the host level, if your primary responsi-bility is the database, this may be off-limits to you

In addition to the use of event monitors and traces as described in theprevious section, database Trojans will often use scheduled jobs In thisway they can insert the data quickly into a table whenever an event firesand then periodically move this information into a file to be sent off usingany number of methods Therefore, in addition to monitoring event cre-ation and/or auditing which traces are active, you should monitor or auditwhich jobs are currently scheduled within the database As in the previoussection, you can choose to monitor and alert on statements that create anew job (that the Trojan would probably initiate when it is first injected)

or choose to audit (and possibly baseline) the jobs you have scheduledwithin the database

9.7 Monitor and audit job creation and scheduling 291

Monitoring for job creation and scheduling follows techniques youlearned in previous chapters For example, to schedule a job in SQL Serverthat would take the event information into a file, you can use:

Add the job EXECUTE @ReturnCode = msdb.dbo.sp_add_job

@job_id = @JobID OUTPUT ,

@job_name = N'trojan',

@owner_login_name = N'sa',

@description = N'Get Login/Logout events',

@category_name = N'[Uncategorized (Local)]',

IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback

Add the job steps EXECUTE @ReturnCode = msdb.dbo.sp_add_jobstep

@job_id = @JobID, @step_id = 1,

IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback

Add the job schedules EXECUTE @ReturnCode = msdb.dbo.sp_add_jobschedule

@job_id = @JobID,

@name = N'ScheduledUpdates',

@enabled = 1,

292 9.7 Monitor and audit job creation and scheduling

IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback

Add the Target Servers EXECUTE @ReturnCode = msdb.dbo.sp_add_jobserver

@job_id = @JobID,

@server_name = N'(local)'

IF (@@ERROR <> 0 OR @ReturnCode <> 0) GOTO QuitWithRollback

In this example, you would monitor all usage of sp_add_jobserver, sp_add_jobstep, sp_add_jobschedule, and sp_add_job.

The other option is to watch and audit the jobs scheduled within thedatabase As in the previous section, you can do this manually using thedatabase tools Figure 9.11 shows a user-defined job in the DB2 Task Cen-ter (within the Control Center) and one within the SQL Server EnterpriseManager This task, however, becomes tedious, and you would do better toautomate it by periodically listing all active jobs scheduled within the data-base and comparing this list with your baseline to see whether any changeshave been made

Finally, remember that in some environments the scheduler will be theoperating system rather than the database This is especially true in data-bases where the authentication model is based on the operating system Forexample, scheduling of jobs that need to run within DB2 on UNIX and

9.8 Be wary of SQL attachments in e-mails 293

Linux is often done by adding a cron job (possibly at the user level) andhaving a script connect to the database In this case, the script will connect

to the database normally, and you can revert to techniques learned in theprevious chapter for monitoring database activities

Finally, one last word of caution: Windows Trojans and other tional” Trojans often come in through e-mails Database Trojans can too Ifsomeone sends you a SQL blurb, you can inadvertently apply it to yourdatabase if you open it nạvely For example, if I get an e-mail with a SQLattachment (as shown in Figure 9.12) and double-click the attachment inOutlook, it will open up in SQL Server 2005 Management Studio—because that’s how the file extensions are set up on my machine After open-ing up the procedure in a window, I get a prompt to sign onto my database,

“conven-as shown in Figure 9.13 This is too close for comfort, and I can e“conven-asily end

294 9.A Windows Trojans

up creating the procedure inside my database—and using the user leges assigned to my account!

In this chapter you learned about a new type of threat—Trojans that allowattackers to collect information and/or perform actions within the databasecontinuously, without necessarily connecting to the database There is aninitial connection to plant the Trojan, but once planted, the Trojan canoften run independently All this makes the Trojan a little more difficult (or

at least different) to detect, and this chapter showed you the approaches touse to uncover such attacks or mistakes, including the monitoring of theactual methods through which the Trojan is injected into the database

A Trojan is an unauthorized program that runs within your database,and as such it is an example of the need for protecting data from foreign ele-ments that may have direct access to the data This topic is a wider issue,and the technique used most often to address protection of the data isencryption (of data at rest, in this case)—the topic of the next chapter

Windows Trojans usually have two components: a client and a server Theserver is embedded into something the victim trusts, and the victimunknowingly activates the server component of the Trojan Once the Trojanserver component is running, it will communicate with the attackers toinform them of the IP of the victim’s machine The attackers then use theclient component to connect to the server, which normally listens on a cer-tain port of the victim’s machine

Trojans often attach themselves to other executables, such as

explorer.exe or iexplorer.exe This ensures that they will be activatedand reactivated no matter how many times the machine is powered down.Other techniques for ensuring auto-run include use of the autostartfolder, insertion of load=trojan.exe and run=trojan.exe into the

win.ini file, or insertion of Shell=Explorer.exe trojan.exe into the

system.ini file The registry is also a common method used to ensurethat the Trojan will run:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run]"Info"="c: \trojan.exe"

9.A Windows Trojans 295

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce]"Info"="c:\trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices]"Info"="c:\trojan.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce]"Info="c:\trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run]"Info"="c:\trojan.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ RunOnce]"Info"="c:\trojan.exe"

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ->

value=trojan.exe %1 %*

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\

command] -> value=trojan.exe %1 %*

The last two registry lines use the fact that if the value for these keys is

trojan.exe %1 %*, then the Trojan will be executed each time you open abinary file

Some Trojans have a single purpose in life and others are pose “let the attackers do whatever they please” -type Trojans SpecializedTrojans include password-sending Trojans that extract passwords stored invarious locations on the machine Another specialized Trojan is one thatdoes keystroke logging—these Trojans send anything you type to theattackers (allowing them to get your passwords) General-purpose Trojansinclude server Trojans that allow attackers to run anything on yourmachine, file deletion Trojans, and denial-of-service (DoS) Trojans that justvandalize your system There are even Trojans that will combat securityproducts—for example, there are Trojans that look for and kill Norton anti-virus software—so it is truly a battle between good and evil

Encryption

Most databases contain sensitive, proprietary, and/or private information.This can include customer information, employee salaries, patient records,credit card numbers—the list goes on and on The key to maintaining thisinformation in a secure manner is confidentiality—and companies thatcannot ensure security for confidential information risk embarrassment,financial penalties, and sometimes even the business itself Would you dobusiness with a bank if you discovered that other customers’ account infor-mation (including information that can be used to do wire transfers) fre-quently leaked out and used by criminals?

A related subject is that of privacy, and there has been a lot of press onsecurity and privacy incidents Such incidents are usually reported generi-cally, and it is difficult to understand exactly how information was stolenand how privacy was compromised However, because most of today’s busi-ness data resides in relational databases, it is likely that at least some, andpossibly many, of these incidents involved unauthorized access to this data.The same is true for identity theft: leakage of data from relational databases

is a potential disaster when it comes to identity theft

The focus on confidentiality of information has been fueled by twoadditional developments: Web applications and regulations In the past fiveyears, Web applications have transformed the way we do business and theway we live, and while such applications have certainly improved access toinformation, they have also improved access for hackers The other develop-ment (perhaps spurred by the increase in risk and an increase in the number

of incidents) is the emergence of data-privacy regulations that have beenforced on many companies across the globe Such regulations and programsinclude the U.S Gramm-Leach-Bliley Act (GLBA), the U.S Health Infor-mation Portability and Accountability Act (HIPAA), the VISA U.S.A.Cardholder Information Security Program (CISP), the VISA InternationalAccount Information Security (AIS), the European Union 95/46/EC

Directive of Data Protection, the Canadian B.11-C6 Personal InformationProtection and Electronic Document Act (PIPEDA), the Japanese JIS Q15001:1999 Requirement for Compliance Program on Personal Informa-tion Protection, and more

Hackers can do all sorts of damage, but when it comes to databases, theworst thing that can happen is the theft of proprietary information In theprevious chapters you saw many methods hackers can use to attack a data-base as well as learned what you should do to protect your database envi-ronments You also learned about best practices that you should follow inorder to limit what hackers can do and/or what they can gain In this chap-ter you will learn about encryption and how it can serve as an additionallayer of security—almost a safety net, in case a hacker does manage to get atyour data even though you’ve secured your database environment using allthe techniques discussed so far

Confidentiality of information is the subject of a mature and age-olddomain called cryptography Of all the areas of mathematics and science,cryptography and encryption are perhaps most closely associated with secu-rity, and people have been inventing ways to encrypt data since the dawn ofhumankind For a good, nontechnical, and readable introduction to cryp-tography, see The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography by Simon Singh (Doubleday, 1999) In this chapteryou will learn why it is important to use such techniques to ensure confi-dentiality of data and when to use them I will not spend time on an expo-sition of cryptography, encryption algorithms, and keys because manyreference books have covered these topics Rather, I will focus on two mainuses of encryption that are relevant to the topic of database security andhow you should use these techniques

The two techniques you will learn are encryption of data-in-transit andencryption of data-at-rest In both cases, encryption should be used as anadditional layer of security that can guarantee confidentiality in case all ofyour other layers have been breached Encryption does not come in place of

a secure database environment and is not a panacea; you should always doyour utmost to create a secure database environment and use encryption tohelp you deal with risk mitigation in case a hacker does manage to over-come all of your other security mechanisms The idea is to employ goodencryption practices because the impact of encrypted data (usually called

cipher text) falling into the wrong hands is considerably less disastrous thanthe impact of clear text falling into the hands of the enemy

10.1 Encrypting data-in-transit 299

In Chapter 3, you learned quite a bit about the database server as a worked service You learned that most database environments use TCP/IPand that the database server listens to certain ports and accepts connectionsinitiated by database clients While the ports are configurable, most peopletend to use the default server ports (e.g., 1433 for Microsoft SQL Server,

net-1521 for Oracle, 4100 for Sybase, 50000 for DB2, and 3306 for MySQL).Database clients connect to the server over these agreed-upon ports to ini-tiate a conversation, and depending on the database type and the serverconfiguration, redirect to another port or complete the entire conversation

on the same server port

In the same way that you know this, so do hackers Moreover, becausemany hackers are system and network geeks, they know a lot about theTCP/IP protocol and specifically about sniffing TCP/IP traffic At a highlevel, this means that with the right tools and the right access to the net-work, anybody can tap into your database conversations and eavesdrop ondatabase access—capturing and stealing both the statements that you issue

as well as the data returned by the database server

Eavesdropping on your database communications is relatively easybecause database communications are mostly in clear text—or close enough

to clear text Therefore, by using simple utilities and mostly free tools, ahacker can listen in and steal information The way to stop this from hap-pening—and the topic of this section—is to encrypt the communicationsbetween database clients and database servers This type of encryption iscalled encryption of data-in-transit because all (or pieces of the) communica-tions between the client and the server are encrypted The encryptionoccurs at the endpoints Although I have yet to define what endpoints are(and these will be different in different encryption schemes), one side willencrypt the data being passed over the network and the other will decryptit—the data stored in the tables and the data used within the application isnot encrypted

Although encryption of data-in-transit is becoming popular, I don’twant to give you the wrong impression—most people do not encrypt data-in-transit, and for many environments that is perfectly fine If you feel that

a potential eavesdropper is something you cannot live with, then youshould definitely encrypt data-in-transit If you consider this to be unlikely

and you think that on the odd chance that this occurs no heads will roll,then it may not be worth the effort and the performance degradation Deg-radation depends on the encryption method as well as the database, but as

300 10.1 Encrypting data-in-transit

an example, MySQL communications are typically 35% slower when usingSSL connections In any case, before looking into the various options forencrypting your database communications, let’s understand a bit moreabout what happens when you use unencrypted streams

10.1.1 Anatomy of the vulnerability: Sniffing data

If a hacker is to eavesdrop and steal data, two things must occur: (1) thehacker must be able to physically tap into the communications between thedatabase clients and the database server and (2) the hacker must be able tounderstand the communication stream at a level that allows extracting thesensitive data Of the two, getting the physical tap is certainly the hardertask, especially in well-designed switched networks

In order to tap into the TCP/IP communication stream, a hacker mustrun his or her tools on a machine that is able to see the packets transmittedfrom the client to the server and back One option is to run these tools onthe client machine, and another is to run the tools on the database server—both of these machines obviously see the entire communication stream As

an example, if your application uses an application server architecture and if

a hacker can compromise the application server or the host on which theapplication server is installed, then the hacker can secretly install some form

of network sniffer to tap into all database communications between thatapplication server and the database

However, there are additional places on the network that are just as ful—nodes that you may not even know about For example, most net-works today are Ethernet networks, and Ethernet by definition uses abroadcast protocol This means that if the hacker’s machine is connected onthe same Ethernet segment of the database or of the client machine, thenthe hacker will be able to see all communications between the client and theserver If you are on a switched network, another way to eavesdrop isthrough the SPAN ports on a switch Finally, if a hacker can gain access tothe physical location in which some of this communications equipmentresides, he or she can always put in a network TAP A detailed explanation

use-of all use-of these options is provided in Appendix 10.A

Now let’s move on to the second thing a hacker needs to do—understandthe communications As you may recall from Chapter 3,SQL travels fromdatabase clients to database servers, and result sets (among other things)travel from the server to the client This data is packaged with the database’sprotocol stack (e.g., Net9 over TNS for Oracle 9i) Each of the other data-base products has its equivalent protocol stack, and in all cases, when the

10.1 Encrypting data-in-transit 301

underlying network is a TCP/IP network, this is all packaged within TCP,which is packaged within IP As shown in Figure 10.1, higher-level packetsform the payload of the underlying protocol (vendor-specific protocols—inthis case Oracle 9i—are shown in a lighter gray)

Although vendor protocols tend to be proprietary and not very wellunderstood by hackers, database engineers, and security professionals alike,TCP/IP is a well-known protocol, and there are numerous tools availablefor inspecting headers and payload of TCP/IP packets Unless you encryptdata-in-transit, a not-too-sophisticated hacker can see pretty much every-thing In understanding how a hacker can eavesdrop by merely looking atthe TCP/IP payload, let’s look at two such tools: tcpdump and Ethereal.Tcpdump is a utility that is available as part of the installation in mostUNIX systems and is available even for Windows If you can’t see it on yoursystem, you can download it for most UNIX variants from www.tcp-dump.org, and you can download the Windows equivalent—WinDump—from http://windump.polito.it Tcpdump allows you to dump TCP/IPpackets based on certain filters You can either print out headers only or youcan dump entire packets and streams to a file; you can then take this file toyour own computer and analyze the contents at your leisure, usually using asniffer that can read tcpdump capture files (e.g., Ethereal)

Ethereal (www.ethereal.com) is the world’s most popular network tocol analyzer and is an open source project—available for free under theGNU license agreement While technically Ethereal is a beta product, it is

pro-a mpro-ature product thpro-at cpro-an pro-anpro-alyze pro-and report on most protocols It

Figure 10.1

Oracle protocol

stack over TCP/IP.

302 10.1 Encrypting data-in-transit

includes support for protocols such as Oracle’s TNS and Microsoft’s andSybase’s TDS But most important, it is a great TCP/IP sniffer Note thatwhile the technically correct term is a network protocol analyzer, and while

“sniffer” is trademarked by Network Associates (now McAfee Inc.), mostnetwork professionals still use the term sniffer or network sniffer Also notethat Ethereal is just one possible sniffer, and there are numerous other suchproducts—some free and some for which you have to pay

Let’s move on and see what kind of eavesdropping we can do using thesetools As an example, suppose that I have an Oracle 10g server and I con-nect to it using SQL*Plus I can trace TCP/IP connections on the databaseserver, on the client machine running the SQL*Plus, or on any machinethat can see these communication streams (e.g., a machine that is con-nected to a hub along with the client or the server or a machine that is get-ting mirrored traffic) If I want to see all TCP/IP traffic coming into themachine, I can use the following tcpdump command (in this case onLinux):

tcpdump -i eth1 host goose

This command says that I want to see traffic flowing through the eth1interface (one of my network interfaces) and that I want only traffic coming

or going from the host named goose Tcpdump has many filtering rules: forexample, I can filter on a port (e.g., port 1433 if I am trying to sniffMicrosoft SQL Server traffic), but for now filtering on the host is enough.The output I get from tcpdump looks as follows:

15:10:43.323110 192.168.1.168.4326 > goose.guardium.com.1522: S 3477922729:3477922729(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

15:10:43.323236 goose.guardium.com.1522 > 192.168.1.168.4326: S 3856403494:3856403494(0) ack 3477922730 win 5840 <mss

1460,nop,nop,sackOK> (DF) 15:10:43.323736 192.168.1.168.4326 > goose.guardium.com.1522: ack 1 win 64240 (DF)

15:10:43.324860 192.168.1.168.4326 > goose.guardium.com.1522: P 1:244(243) ack 1 win 64240 (DF)

15:10:43.324876 goose.guardium.com.1522 > 192.168.1.168.4326: ack 244 win 6432 (DF)

15:10:43.349840 goose.guardium.com.1522 > 192.168.1.168.4326: P 1:9(8) ack 244 win 6432 (DF)

15:10:43.350464 192.168.1.168.4326 > goose.guardium.com.1522: P 244:487(243) ack 9 win 64232 (DF)

10.1 Encrypting data-in-transit 303

15:10:43.350714 goose.guardium.com.1522 > 192.168.1.168.4326: P 9:41(32) ack 487 win 7504 (DF)

… 15:10:43.432778 goose.guardium.com.1522 > 192.168.1.168.4326: P 4055:4070(15) ack 4642 win 11319 (DF)

15:10:43.622017 192.168.1.168.4326 > goose.guardium.com.1522: ack 4070 win 63407 (DF)

What I can see from the first line is the client machine with an IP of192.168.1.168 connecting to the server The client port is 4326 and theserver port is 1522 Note that this is not the standard Oracle listener port,and you should not assume that using a nonstandard port keeps you safe inany way Also note that I removed some of the packets in the middle—thefull dump includes 65 such lines and is not very useful at this point This first dump doesn’t show me much, mostly because by default tcp-dump has only shown me the headers However, I can now go one step fur-ther and start looking at the TCP/IP payload, which is where all the juicydata resides At this point I can ask tcpdump to capture all of the stream to

a file using the following command (on Linux; other platforms may haveslightly different flags):

tcpdump -S -w /tmp/out.txt -i eth1 host goose

I can then analyze this file using a sniffer or use a sniffer instead of dump in the first place The main question is where I prefer doing thework—on-site or in a quiet place where I will not be bothered

tcp-Let’s look at the payload The payload is verbose, and I won’t show youall of it because it is not relevant to our discussion There are three packetsthat are relevant here: the login process, the packet containing a SQL call,and the packet containing the reply

Let’s start with the login process When a client initiates a session with

a server, there is a handshake process during which the two agree on ous details of the communication In this process the client authenticatesitself with the server (i.e., hands over the username and password withwhich it is trying to log in to the database) An example payload of theTCP/IP packet for this part of the Oracle handshake (using the infamousscott/tiger user) follows:

vari-00000000 : 01 78 00 00 06 04 00 00 00 00 03 73 03 c8 f7 05 x s

00000010 : 08 05 00 00 00 01 01 00 00 bc ea ff bf 07 00 00

00000020 : 00 cc e8 ff bf 7e bc ff bf 05 53 43 4f 54 54 0d ~ SCOTT.

304 10.1 Encrypting data-in-transit

00000030 : 00 00 00 0d 41 55 54 48 5f 50 41 53 53 57 4f 52 AUTH_PASSWOR

00000040 : 44 20 00 00 00 20 30 42 45 35 44 36 37 46 31 36 D 0BE5D67F16

00000050 : 30 46 45 44 44 41 32 46 36 36 41 34 38 31 34 44 0FEDDA2F66A4814D

00000060 : 34 39 38 35 37 44 00 00 00 00 0d 00 00 00 0d 41 49857D A

00000070 : 55 54 48 5f 54 45 52 4d 49 4e 41 4c 06 00 00 00 UTH_TERMINAL

00000080 : 06 70 74 73 2f 31 31 00 00 00 00 0f 00 00 00 0f pts/11

00000090 : 41 55 54 48 5f 50 52 4f 47 52 41 4d 5f 4e 4d 29 AUTH_PROGRAM_NM) 000000a0 : 00 00 00 29 2e 2f 73 61 6d 70 6c 65 31 40 6c 65 )./sample1@cl 000000b0 : 6f 6e 69 64 2e 67 75 61 72 64 69 75 6d 2e 63 6f ient.guardium.co 000000c0 : 6d 20 28 54 4e 53 20 56 31 2d 56 33 29 00 00 00 m (TNS V1-V3)

000000d0 : 00 0c 00 00 00 0c 41 55 54 48 5f 4d 41 43 48 49 AUTH_MACHI 000000e0 : 4e 45 13 00 00 00 13 6c 65 6f 6e 69 64 2e 67 75 NE client.gu 000000f0 : 61 72 64 69 75 6d 2e 63 6f 6d 00 00 00 00 08 00 ardium.com

00000100 : 00 00 08 41 55 54 48 5f 50 49 44 05 00 00 00 05 AUTH_PID

00000110 : 32 30 33 31 37 00 00 00 00 08 00 00 00 08 41 55 20317 AU 00000120 : 54 48 5f 41 43 4c 04 00 00 00 04 34 34 30 30 00 TH_ACL 4400.

00000130 : 00 00 00 12 00 00 00 12 41 55 54 48 5f 41 4c 54 AUTH_ALT 00000140 : 45 52 5f 53 45 53 53 49 4f 4e 25 00 00 00 25 41 ER_SESSION% %A 00000150 : 4c 54 45 52 20 53 45 53 53 49 4f 4e 20 53 45 54 LTER SESSION SET 00000160 : 20 54 49 4d 45 5f 5a 4f 4e 45 3d 27 2d 30 34 3a TIME_ZONE='-04: 00000170 : 30 30 27 00 01 00 00 00 00'

The left-hand side of the payload dump shows offset within the packet, the middle section shows the actual content of the packet (in hex), and the right-hand side (which is the useful part) shows the ASCII representation of the payload As you can see, it is not difficult to extract meaningful infor-mation from the packet because the inforinfor-mation is being passed as clear text Specifically, you can see that the database user is SCOTT and that the request is coming from client.guardium.com Let’s move on to see how a hacker can eavesdrop and get SQL state-ments and result If I continue to monitor the TCP/IP conversation, I will eventually see packets of the following format: 0000 00 10 db 46 3e 74 00 0d 56 b2 05 34 08 00 45 00 .F>t V 4 E 0010 00 c8 94 79 40 00 80 06 e0 a6 c0 a8 01 a8 c0 a8 .y@

0020 02 17 0d bf 05 f2 64 56 a6 a7 2e 5f 36 88 50 18 .dV _6.P 0030 f7 af 04 4d 00 00 00 a0 00 00 06 00 00 00 00 00 .M .

0040 03 5e 20 61 80 00 00 00 00 00 00 10 59 da 00 12 .^ a Y

0050 00 00 00 68 ae d9 00 0c 00 00 00 00 00 00 00 98 .h .

0060 ae d9 00 00 00 00 00 01 00 00 00 00 00 00 00 00 .

0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .

0080 00 00 00 00 00 00 00 9a ae d9 00 d4 5c da 00 00 \

0090 00 00 00 12 73 65 6c 65 63 74 20 2a 20 66 72 6f sele ct * fro 00a0 6d 20 64 65 70 74 01 00 00 00 00 00 00 00 00 00 m dept .

10.1 Encrypting data-in-transit 305

00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00c0 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00d0 00 00 00 00 00 00

I’ve used a simple example using the dept table—one of the standardsamples packaged with Oracle As you can see, the SQL statement beingexecuted is also shown in clear text, allowing a hacker to learn of your data-base structure and even see data (if it is included in WHERE clauses orINSERT clauses, for example) The SQL statement that is being passed(fully in clear text) within the packet is:

select * from dept

The response to this query (if done in SQL*Plus, for example) wouldbe:

DEPTNO DNAME LOC - - -

10 ACCOUNTING NEW YORK

is spread over two packets:

306 10.1 Encrypting data-in-transit

00e0 0d 00 00 00 01 03 03 00 00 00 03 4c 4f 43 00 00 .LOC

00f0 00 00 00 00 00 00 07 00 00 00 07 78 68 07 1b 10 .xh

0100 17 3b 06 02 03 00 00 00 01 00 00 00 00 00 00 00 .;

0110 00 00 00 00 07 02 c1 0b 0a 41 43 43 4f 55 4e 54 .ACCOUNT 0120 49 4e 47 08 4e 45 57 20 59 4f 52 4b 08 05 00 50 ING.NEW YORK P 0130 17 10 00 00 00 00 00 03 00 00 00 00 00 00 00 00 .

0140 00 00 00 00 00 00 00 04 01 00 00 00 01 00 00 00 .

0150 00 00 00 00 00 00 03 00 0e 00 03 00 00 00 00 00 .

0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .

0170 00 00 20 00 00 01 00 00 00 00 00 00 00 00 00 00

0180 00 00 00 00 00 00 00

0000 00 0d 56 b2 05 34 00 0e d7 98 07 7f 08 00 45 00 V 4 .E 0010 00 e4 5d 4e 40 00 3f 06 58 b6 c0 a8 02 17 c0 a8 ]N@.? X

0020 01 a8 05 f2 0d bf 2e 5f 37 d9 64 56 a7 d4 50 18 ._ 7.dV P 0030 2c 37 16 91 00 00 00 bc 00 00 06 00 00 00 00 00 ,7

0040 06 02 03 00 00 00 0f 00 00 00 01 00 00 00 01 07 .

0050 00 00 00 00 07 02 c1 15 08 52 45 53 45 41 52 43 .RESEARC 0060 48 06 44 41 4c 4c 41 53 15 03 00 07 07 02 c1 1f H.DALLAS

0070 05 53 41 4c 45 53 07 43 48 49 43 41 47 4f 15 03 .SALES.C HICAGO

0080 00 07 07 02 c1 29 0a 4f 50 45 52 41 54 49 4f 4e .).O PERATION 0090 53 06 42 4f 53 54 4f 4e 04 01 00 00 00 04 00 00 S.BOSTON

00a0 00 7b 05 00 00 00 00 03 00 00 00 03 00 20 00 00 .{

00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .

00c0 00 00 00 21 00 00 01 00 00 00 00 00 00 00 00 00 .! .

00d0 00 00 00 00 00 00 00 00 19 4f 52 41 2d 30 31 34 .ORA-014 00e0 30 33 3a 20 6e 6f 20 64 61 74 61 20 66 6f 75 6e 03: no d ata foun 00f0 64 0a d

Your data is not really secure from prying eyes, unless you take extra measures to make it so

10.1.2 Implementation options for encrypting

data-in-transit

Encryption is a mature technology, and securing database communications usually involves securing TCP/IP sessions As a result, you can choose from quite a few implementation options when you wish to encrypt database ses-sions These range from database-specific encryption facilities to the use of core services provided by the operating system Specifically, you’ll see the following options that provide a sampling of the broad range of techniques:

10.1 Encrypting data-in-transit 307

Database-specific features (e.g., Oracle Advanced Security)

Connection-based methods (e.g., using the Secure Sockets Layer[SSL])

Secure tunnels (e.g., using Secure Shell [SSH] tunnels)

Relying on the operating system (e.g., IPSec encryption)

These examples cover the spectrum, starting with database-specifictechniques all the way to general operating system facilities The moregeneric the method, the less work you need to do—relying on the fact thatsomeone else has already done the work for you Note that in all but thefirst category, encrypting of data-in-transit is based on industry standardsand does not depend on your database vendor Also note that althoughmost methods encrypt the entire communication stream, that is not alwaysnecessary What you really want to encrypt are data values, and encryptingthe entire stream may conflict with other network-based security solutionsyou choose to deploy This advanced capability is not supported by alldatabase environments and is certainly not possible if you choose one ofthe lower-level techniques, which have no understanding of the specifics ofwhat is being communicated between the database client and the server As

a result, all of the options described in the following sections encrypt theentire communication stream

Oracle Advanced Security

Oracle Advanced Security (previously called Advanced NetworkingOption) is a package of enhancements that supports network encryption.Depending on the release you use and your licensing agreement, thispackage can be an extra cost (i.e., it is another line item that you may have

to pay extra for) and is available only for the Enterprise Edition of thedatabase This option can therefore be expensive (especially when com-pared with some of the other options to follow, which are basically free),perhaps explaining why it has never gained widespread adoption amongOracle users

When you use Oracle Advanced Security, the listener initiates anencryption negotiation sequence during the handshake phase whenever aclient asks for a connection During this encryption negotiation phase, theclient tells the server which encryption methods it supports The servercompares this with the encryption methods it has available If there is anonempty intersection, the server picks a method based on the preferredmethods defined by its configuration If the intersection is empty (meaning

308 10.1 Encrypting data-in-transit

that this client and this server cannot support an encrypted conversation),then the server rejects the client’s request to open a new connection For afull discussion of this package and its configuration option, please refer tothe Oracle Security Handbook by Marlene Theriault and Aaron Newman(McGraw-Hill, 2001)

Using SSL to secure database connections

Thanks to the Web and e-commerce, SSL has become the de facto standardfor securing sensitive information over TCP/IP It is therefore no wonderthat most database environments use SSL as an encryption facility for data-base communications For example, if you want to enable SSL for SybaseASE, you need to change the appropriate entry in your interfaces file, forexample, from:

syb_egdb master tli tcp egdb 4100 query tli tcp egdb 4100

to:

syb_egdb master tli tcp egdb 4443 ssl query tli tcp egdb 4443 ssl

As a second example, Microsoft SQL Server 2000 uses SSL within theSuper Socket Net-Library (dbnetlib.dll and ssnetlib.dll—see Chapter 3)and applies to all intercomputer protocols supported by SQL Server 2000.When SSL encryption is active, the Super Socket Net-Library performs SSLencryption for TCP/IP, IPX/SPX, Named Pipes, Multiprotocol, AppleTalk,

or Banyan VINES Be aware that encryption slows the performance of theNet-Libraries Encryption adds an extra network round-trip when estab-lishing the connection, and all packets sent from the application to theinstance of SQL Server or vice versa must be encrypted and decrypted byNet-Library

To turn on SSL encryption in SQL Server 2000, open the Server work Utility application from ProgramsMicrosoft SQL ServerServerNetwork Utility and check the Force protocol encryption checkbox, asshown in Figure 10.2

Net-Once you check this option on the Server Network Utility, you willneed to stop and start your SQL Server instance, and when started SQL

10.1 Encrypting data-in-transit 309

Server will now accept only sessions that are encrypted You must ber that it is not enough to turn this option on; in order for encryption tooccur, the server must have a valid certificate from which it can derive thekeys to perform the encryption This requirement is common to all SSL-based facilities, regardless of the database platform In the example shownhere, SSL encryption will only work if your instance of SQL Server 2000

remem-is running on a computer that has been assigned a certificate from a publiccertification authority The computer on which the application is runningmust also have a root CA certificate from the same authority Thus, SQLServer relies on certificate management facilities, which are part of theWindows operating system (or ActiveDirectory for simpler key manage-ment) If you do not have a certificate on your server, SQL Server will notstart up and you will get an error in your Application Event Log, as shown

in Figure 10.3

SSL is an industry standard, and as such, most modern database systemssupport the use of SSL for encrypting data-in-transit Let’s look at anotherexample for setting up SSL-based communications for MySQL on a Linuxsystem To complete an SSL-based configuration, follow these steps:

Figure 10.2

Forcing SQL

Server to serve only

encrypted sessions.

310 10.1 Encrypting data-in-transit

1 Make sure that you have the SSL library for your version ofMySQL For example, install MySQL-server-4.0.18- ssl0.i386.rpm

2 Run make_mysql_certs.sh to create the required certificates

This will create a directory by the name of openssl that will tain three PEM files that MySQL will require (PEM stands forPrivacy-Enhanced Mail and is an Internet standard that providesfor secure exchange of e-mail PEM certificates are widely usedoutside of mail services.)

con-3 Move the openssl/ca-cert.pem, openssl/server-cert.pem and

openssl/server-key.pem to a directory in which you want toput the PEM files and then change /etc/my.cnf to point at thesefiles using lines of the form

ssl-ca=<path to ca-cert.pem file>

10.1 Encrypting data-in-transit 311

ssl-cert=<path to server-cert.pem file>

ssl-key=<path to server-key.pem file>

4 Log in to MySQL and assign appropriate grants to a new name defining that access must be made through SSL:

user-GRANT ALL on <db>.* to <user> IDENTIFIED BY "<pwd>" REQUIRE SSL

where <db> is the name of your database, and if you want to makesure that connections are available only over SSL, you shouldremove other users from the system

5 Try to connect over SSL by using:

mysql ssl=1 -u<user> -p<pwd> -h<host> ssl-cert=/tmp/ ssl/client-cert.pem ssl-key=/tmp/ssl/client-key.pem – ssl-ca=/tmp/ssl/ca-cert.pem

6 If you try to connect to this user without the ssl parameters:

mysql -u<user> -p<pwd> -h<host>

you will get an error of the form:

ERROR 1045: Access denied for user: '<user>’ (Using password: YES)

If you look at the packets on the network before and after enabling SSL,you will see the difference The following packet capture shows a simpleMySQL query in clear text:

4500 00f4 3f9c 4000 4006 729e c0a8 0342 | E ? @ @ r B c0a8 0337 9c32 0cea 2294 49a4 e612 87b0 | 7 2 " I

8018 87c0 7a9b 0000 0101 080a 0514 baf0 | z \n

0514 e616 bc00 0000 0353 454c 4543 5420 | S E L E C T

5441 534b 5f52 4543 4549 5645 522e 5441 | T A S K _ R E C E I V E R T A 534b 5f52 4543 4549 5645 525f 4944 2c20 | S K _ R E C E I V E R _ I D ,

5441 534b 5f52 4543 4549 5645 522e 5441 | T A S K _ R E C E I V E R T A 534b 5f49 442c 2054 4153 4b5f 5245 4345 | S K _ I D , T A S K _ R E C E

4956 4552 2e55 5345 525f 4944 2c20 5441 | I V E R U S E R _ I D , T A 534b 5f52 4543 4549 5645 522e 4f52 4445 | S K _ R E C E I V E R O R D E 525f 4e4f 2c20 5441 534b 5f52 4543 4549 | R _ N O , T A S K _ R E C E I

5645 522e 4143 5449 4f4e 5f52 4551 5549 | V E R A C T I O N _ R E Q U I

5245 4420 4652 4f4d 2054 4153 4b5f 5245 | R E D F R O M T A S K _ R E

4345 4956 4552 2057 4845 5245 2054 4153 | C E I V E R W H E R E T A S 4b5f 5245 4345 4956 4552 2e55 5345 525f | K _ R E C E I V E R U S E R _

4944 3d31 | I D = 1