數(shù)據(jù)庫安全外文翻譯_第1頁
數(shù)據(jù)庫安全外文翻譯_第2頁
數(shù)據(jù)庫安全外文翻譯_第3頁
數(shù)據(jù)庫安全外文翻譯_第4頁
數(shù)據(jù)庫安全外文翻譯_第5頁
已閱讀5頁,還剩3頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、共共9頁第 頁DatabasSeecurity“WhydoIneedtosecuremydatabaseserver?NoonecanaccessititsinaDMZprotedctbeythefirewall!”Thisisoftentheresponsewhenitisrecommendedthatsuchdevicesareincludedwithinasecurityhealthcheck.Infact,databasesecurityisparamountindefendinganorganizationsinformation,asitmaybeindirectlyexposed

2、toawideraudiencethanrealized.Thisisthefirstoftwoarticlesthatwillexaminedatabasesecurity.Inthisarticlewewilldiscussgeneraldatabasesecurityconceptsandcommonproblems.InthenextarticlewewillfocusonspecificMicrosoftSQaLndOraclesecurityconcerns.Databasesecurityhasbecomeahottopicinrecenttimes.Withmoreandmor

3、epeoplebecomingincreasinglyconcernedwithcomputersecurity,wearefindingthatfirewallsandWebserversarebeingsecuredmorethanever(thoughthisdoesnotmeanthattherearenotstillalargenumberofinsecurenetworksoutthere).Assuch,thefocusisexpandingtoconsidertechnologiessuchasdatabaseswithamorecriticaleye.ommonensesec

4、urityeforewediscusstheissuesrelatintodatabasesecurityitisprudenttohigh-lightthenecessitytosecuretheunderlyingoperatingsystemandsupportingtechnologies.Itisnotworthspendingalotofeffortsecuringadatabaseifavanillaoperatingsystemisfailingtoprovideasecurebasisforthehardeningofthedata-base.Therearealargenu

5、mberofexcellentdocumentsinthepublicdomaindetailingmeasuresthatshouldbeemployedwheninstallingvariousoperatingsystems.OnecommonproblemthatisoftenencounteredistheexistenceofadatabaseonthesameserverasawebserverhostinganInternet(orIntranet)facingapplication.Whilstthismaysavethecostofpurchasingaseparatese

6、rver,itdoesseriouslyaffectthesecurityofthesolution.Wherethisisidentified,itisoftenthecasethatthedatabaseisopenlyconnectedtotheInternet.OnerecentexampleIcanrecallisanApacheWebserverservinganorganizationsInterneotffering,withanOracledatabaseavailableontheInternetonport152W1he.ninvestigatingthisissuefu

7、rtheritwasdiscoveredthataccesstotheOracleserverwasnotprotected(includinglackofpasswords),whichallowedtheservertobestopped.ThedatabasewasnotrequiredfromanInternetfacingperspective,buttheuseofdefaultsettingsandcarelesssecuritymeasuresrenderedtheservervulnerable.Thepointsmentionedabovearenotstrictlydat

8、abaseissues,andcouldbeclassifiedasarchitecturalandfirewallprotectionissuesalso,butultimatelyitisthedatabasethatiscompromised.Securityconsiderationshavetobemadefromallpartsofapublicfacingnet-work.Youcannotrelyonsomeoneorsomethingelsewithinyourorganizatiopnrotectingyourdatabasefromexposure.Attacktools

9、arenowavailableforexploitingweaknessesinSQLandOracleIcameacrossoneinterestingaspectofdatabasesecurityrecentlywhilecarryingoutasecurityreviewforaclient.Wewereperformingatestagainstanintranetapplication,whichusaedatabasebackend(SQL)tostoreclientdetails.Thseecurityreviewwasproceedingwell,withaccesscont

10、rolsbeingbasedonWindowsauthentication.OnlyauthenticatedWindowsuserswereabletoseedatabelongingtothem.Theapplicationitselfseemedtobehandlinginputrequests,rejectingallattemptstoaccessthedata-basedirectly.Wtheenhappenetdocomeacrossabackupoftheapplicationintheofficeinwhichwewereworking.Thismediacontained

11、abackupoftheSQLdatabase,whichwerestoredontoourlaptop.Allsecuritycontrolswhichwereinplaceoriginallywerenotrestoredwiththedatabaseandwewereabletobrowsethecompletedatabase,withnorestrictionsinplacetoprotectthesensitivedata.Thimsayseemlikeacontrivedwayofcompromisintghesecurityofthesystem,butdoeshighligh

12、tanimportantpoint.Itisoftennotthedirectapproachthatistakentoattackatarget,andultimateltyheendpointisthesame;systemcompromiseA.backupcopyofthdeatabasemaybestoredontheserver,andthusfacilitatesaccesstothedataindirectly.Thereisasimplesolutiontotheproblemidentifiedabove.SQL2000canbeconfiguredtousepasswor

13、dprotectionforbackups.Ifthebackupiscreatedwithpasswordprotection,thispasswordmbuesutsedwhenrestoringthepassword.Thiissaneffectiveanduncomplicatemdethoodfstoppingsimplecaptureofbackupdata.Itdoeshowevermeanthatthepasswordmustberemembered!CuernrttrendsTheraereanumberofcurrenttrendsinITsecurityw,ithanum

14、beorfthesebeinglinkedtodatabasesecurity.Thefocusondatabasesecurityisnowattractingtheattentionoftheattackers.AttacktoolsarenowavailableforexploitingweaknessesinSQLandOracle.Themergenceofthesteoolshasraisedthestakesandwehaveseenfocusedattacksagainstspecificdata-baseportsonserversexposedtotheInternet.O

15、necommonthemerunningthroughthesecurityindustryiosnthefocusapplicationsecuritya,ndinparticularbespokeWebapplications.WithefunctionalityofWebapplicationsbecomingmoreandmorecomplex,itbringsthepotentialformoresecurityweaknessesinbespokeapplicationcode.Inordertofulfillthefunctionalityofapplications,theba

16、ckenddatastoresarecommonlbyeingusedtoformatthecontentofWebpages.Thirsequiremsorecomplexcodingattheapplicationend.Withdevelopersusingdifferentstylesincodedevelopment,someofwhicharenotassecurityconsciousasother,thiscanbethesourceofexploitableerrors.SQLinjectionisonesuchhottopicwithintheITsecurityindus

17、tryatthemoment.Discussionsarenowcommonplaceamongtechnicalsecurityforums,withmoreandmorewaysandmeansofexploitingdatabasescomingtolightallthetime.SQiLnjectionisamisleadingterm,astheconceptappliestootherdatabases,includingOracle,DB2andSybase.hatisnectionnectiohssimplythemethodocommunicationithadatabase

18、usingcodeorcommandssentviaamethodorapplicationnotintendedbythedeveloper.ThemostcommonformofthisisfoundinWebapplications.Anyuserinputthatishandledbytheapplicationisacommonsourceofattack.OnesimpleexamploefmishandlingofuserinputishighlightedinFigure1.Manyofyouwillhaveseenthiscommonerrormessagewhenacces

19、singwebsites,andoftenindicatesthattheuserinputhasnotbeencorrectlyhandled.Ongettingthistypeoferror,anattackerwillfocusinwithmorespecificinputstrings.Specificsecurity-relatedcodingtechniquesshouldbeaddedtocodingstandardinusewithinyourorganization.Thedamagedonebythistypeofvulnerabilitycanbefarreaching,

20、thoughthisdependsonthelevelofprivilegestheapplicationhasinrelationtothedatabase.Iftheapplicationisaccessingdatawithfulladministratortypeprivileges,thenmaliciouslyruncommandswillalsopickupthisleveloafccess,andsystemcompromiseisinevitable.Againthisissueisanalogoustooperatingsystemsecurityprinciples,wh

21、ereprogramshouldonlyberunwiththeminimumofpermissionsthatisrequired.Ifnormaluseraccessisacceptable,thenapplythisrestriction.AgaintheproblemofSQLsecuritiysnottotallyadatabaseissue.Specificdatabasecommandorrequestsshouldnotbeallowtoedpassthroughtheapplicationlayer.Thiscanbepreventedbyemployinga“securec

22、oding”approach.Againthisisveeringoff-topic,butitisworthdetailingafewbasicstepsthatshouldbeemployed.Thefirststepinsecuringanyapplicationshouldbethevalidationandcontrolofuserinput.Stricttypingshouldbeusedwherepossibletocontrolspecificdata(e.g.ifnumericdataisexpected),andwherestringbaseddataisrequired,

23、specificnonalphanumericcharactersshouldbeprohibitedwherepossible.Wherethiscannotbeperformed,considerationshouldbemadetotryandsubstitutecharacters(foerxampletheuseofsinglequotes,whicharecommonlyusedinSQLcommands).Specificsecurity-relatedcodingtechniquesshouldbeaddedtocodingstandardinusewithinyourorga

24、nization.Ifalldevelopersareusingthesamebaselinestandards,withspecificsecuritymeasures,thiswillreducetheriskofSQLinjectioncompromises.Anothersimplemethodthatcanbeemployedistoremoveallprocedureswithinthedatabasethatarenotrequired.Thisrestrictstheextentthatunwantedorsuperfluousaspectsofthedatabasecould

25、bemaliciouslyused.Thisisanalogoustoremovingunwantedservicesonanoperatingsystem,whichiscommonsecuritypractice.verallnconclusion,mostofthepointshavemadeabovearecommonsensesecurityconcepts,andarenotspecifictodatabases.HoweverallofthesepointsDOapplytodatabasesandifthesebasicsecuritymeasuresareemployed,t

26、hesecurityofyourdatabasewillbegreatlyimproved.ThenextarticleondatabasesecuritywillfocusonspecificSQLandOraclesecurityproblems,withdetailedexamplesandadviceforDBAsanddevelopers.TherearealotofsimilaritiesbetweendatabasesecurityandgeneralITsecurity,withgenericsimplesecuritystepsandmeasuresthatcanbe(and

27、shouldbe)easilyimplementedtodramaticallyimprovesecurity.Whilethesemayseemlikecommonsense,itissurprisinghowmanytimeswehaveseenthatcommonsecuritymeasuresarenotimplementedandsocauseasecurityexposure.UseraccountandpasswordsecurityOneofthebasicfirstprincipalsinITsecuriitsy“makesureyouhaveagoodpassword”.WithinthisstatementIhaveassumedthatapasswordissetinthefirstplace,thoughthisisoftennotthecase.Itouchedoncommonsensesecurityinmylastarticle,butIthinkitisimportanttohighlightthisagain.Aswithopera

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論