securing mysql
TRANSCRIPT
![Page 1: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/1.jpg)
http://www.yassl.com (206) 369-4800
Securing MySQL!With a Focus on SSL
![Page 2: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/2.jpg)
About Me
Chris Conlon
So#ware Developer at yaSSL Bozeman, MT
© Copyright 2011 yaSSL
© Copyright 2011 FishEyeGuyPhotography
![Page 3: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/3.jpg)
SSL Statistics
Ivan Ristic: Internet SSL Survey 2010 http://www.ssllabs.com • Sample of 119 Million Domain Names
0.60%, Certificate Name Matches 0.42%, Counting only valid ones
• Alexa Top 1M Sites
120,000 Use SSL (12%)
© Copyright 2011 yaSSL
SSL Survey 2010 Valid SSL – 0.42%
Alexa Top 1M Use SSL – 12%
![Page 4: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/4.jpg)
Presentation Outline
Part I: MySQL Security
1. Common Attacks & Vulnerabilities 2. Good Security Practices for MySQL
Part II: SSL/TLS
1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption Part IV: Wrap-Up
1. Licensing 2. yaSSL 3. Conclusion
© Copyright 2011 yaSSL
![Page 5: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/5.jpg)
Part I MySQL Security
© Copyright 2011 yaSSL
MySQL Updates Account Passwords Test Databases mysqld Privileges
![Page 6: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/6.jpg)
Common Attacks and Vulnerabilities
Do we really need to secure our MySQL database?
YES!
© Copyright 2011 yaSSL
MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities - Trojanning MySQL
![Page 7: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/7.jpg)
Good Security Practices for MySQL
A. Keeping MySQL Version Up to Date
An easy way to stay better protected: - New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates
© Copyright 2011 yaSSL
![Page 8: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/8.jpg)
Good Security Practices for MySQL
© Copyright 2011 yaSSL
3
6
8
5
9
11
14
10
6
7
6
16
'MySQL' Vulnerabili1es By Year cvedetails.com (nvd.nist.gov)
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
![Page 9: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/9.jpg)
Good Security Practices for MySQL
• yaSSL Vulnerabilities affecting MySQL in the past:
CVE-2005-3731 Certificate Chain Processing CVE-2008-0227 Denial of Service (crash) CVE-2008-0226 Allowed Execution of Arbitrary Code CVE-2009-4484 Allowed Execution of Arbitrary Code, Denial of Service Possible
© Copyright 2011 yaSSL
![Page 10: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/10.jpg)
B. Passwords: Root Accounts • They are empty by default
Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good) shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;
Good Security Practices for MySQL
© Copyright 2011 yaSSL
![Page 11: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/11.jpg)
Good Security Practices for MySQL
B. Passwords: Anonymous Accounts
Assign anonymous accounts passwords: shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES; Or remove them: shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';
© Copyright 2011 yaSSL
![Page 12: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/12.jpg)
Good Security Practices for MySQL
B. Passwords: Strength is Key Use strong passwords
• Combine letters and numbers • mhallwltpic++ = "mary had a little lamb who liked to program in C++” • uuidgen, pwgen tools
© Copyright 2011 yaSSL
![Page 13: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/13.jpg)
Good Security Practices for MySQL
C. Securing Test Databases • By default, anyone can access test databases
- Convenient for testing - not production • Delete databases or restrict privileges
shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;
© Copyright 2011 yaSSL
![Page 14: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/14.jpg)
Good Security Practices for MySQL
D. Securing mysqld • Don't run MySQL as root user
shell> mysqld --user=mysql • Disable Remote Access (--skip-networking)
- Only allows access from local machine
© Copyright 2011 yaSSL
![Page 15: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/15.jpg)
Good Security Practices for MySQL
E. mysql_secure_installation script Allows you to: • Set a password for root account • Remove root accounts that are accessible from outside of the local host • Remove anonymous user accounts • Remove the test database that can be accessed from all users • Reload privilege tables so that above take effect
* Not available on Windows
© Copyright 2011 yaSSL
![Page 16: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/16.jpg)
Good Security Practices for MySQL
F. Notes about Privileges • Don't grant all users PROCESS or SUPER privilege
– Can see text of currently-executing queries ( SHOW processlist; ) • Don't grant all users the FILE privilege
– Enables reading/writing to file system wherever mysqld process has access
© Copyright 2011 yaSSL
![Page 17: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/17.jpg)
Good Security Practices for MySQL
G. Additional Measures These depend on your unique situation: • Restrict access to log files
- Ensure only ‘root’ and the mysqld user can access
• Restrict MySQL data directory access only to server account
© Copyright 2011 yaSSL
logfiles
![Page 18: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/18.jpg)
Good Security Practices for MySQL
G. Additional Measures These depend on your unique situation:
• Add Application-specific Users - Each user only has required privileges (Ex: Ruby/PHP/etc. Application)
• Restrict where MySQL listens
- You might only need to listen on localhost bind-address = 127.0.0.1
© Copyright 2011 yaSSL
![Page 19: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/19.jpg)
Good Security Practices for MySQL
G. Additional Measures These depend on your unique situation: • Can disable LOAD DATA LOCAL INFILE command
- Can allow reading of local files
• Remove Content of MySQL History File
- All executed SQL commands are stored
cat /dev/null > ~/.mysql_history
© Copyright 2011 yaSSL
![Page 20: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/20.jpg)
Part II SSL / TLS
© Copyright 2011 yaSSL
Overview X.509 CerWficates Handshake MySQL and SSL
![Page 21: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/21.jpg)
Overview of SSL / TLS
By default, MySQL uses unencrypted connections between the client and server!
© Copyright 2011 yaSSL
Alice BobMallory
MySQL Client MySQL Server
![Page 22: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/22.jpg)
Overview of SSL / TLS
A. What is SSL / TLS? - Originally developed by Netscape - Layered between Transport (TCP/IP) and Application layers:
© Copyright 2011 yaSSL
Network Access
IP
TCP
SSL Record Layer
SSL Handshake
Protocol
SSL Change Cipher Spec
ProtocolSSL Alert Protocol HTTP LDAP,
etc.HTTP SMTP,
etc.
Protocols Secured by SSL/TLS
Network Layer
Internet Layer
Transport Layer
Application Layer
![Page 23: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/23.jpg)
Overview of SSL / TLS
A. What is SSL / TLS? • Provides secure client/server communication, including:
• Can be implemented on almost any OS that support TCP/IP
© Copyright 2011 yaSSL
Privacy Prevent eavesdropping Authen1ca1on Prevent impersonaWng Integrity Prevent modificaWon
![Page 24: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/24.jpg)
Overview of SSL / TLS
A. What is SSL / TLS? • Uses a variety of encryption algorithms to secure data:
© Copyright 2011 yaSSL
Hashing Functions
Block and Stream Ciphers
Public Key Options
MD2, MD4, MD5, SHA-1, SHA-2, RIPEMD
DES, 3DES, AES, ARC4, RABBIT, HC-128
RSA, DSS, DH
![Page 25: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/25.jpg)
Overview of SSL / TLS
A. What is SSL / TLS? • These algorithms are negotiated during the SSL handshake • Are combined into a ”Cipher Suite": Examples: SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA © Copyright 2011 yaSSL
![Page 26: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/26.jpg)
Overview of SSL / TLS
B. X.509 Certificate Concepts • Elements in "Public Key Infrastructure (PKI) " • Acts as a container for public key (used to verify/validate end entities)
• Digitally-signed by a trusted authority • Buy (CA) vs. Create Your Own (Self-Sign)
-‐ VeriSign, DigiCert, Thawte, etc. -‐ Costs Money -‐ Trusted
-‐ Created Yourself -‐ Free -‐ Trusted (if you control both sides)
© Copyright 2011 yaSSL
![Page 27: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/27.jpg)
Overview of SSL / TLS
C. SSL Handshake - Simplified Diagram
© Copyright 2011 yaSSL
Client Hello
Cryptographic Info(SSL version, supported ciphers, etc.)
Client Server
Server HelloCipher SuiteServer CertificateServer Key Exchange (public key)( Client Certificate Request )Server Hello Done
Client Key Exchange
( Certificate Verify )( Client Certificate )
Change Cipher Spec
Client Finished
Change Cipher Spec
Server Finished
Exchange Messages (Encrypted)
1
23
45
6
7
8
Verify server cert,check cryptoparameters
Verify client cert(if required)
![Page 28: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/28.jpg)
Overview of SSL / TLS
D. SSL is Everywhere SSL is used in a wide range of applications
- Browsers - Email - Routers - Factory Automation - VoIP - Automobile Communications - Sensors - Smart Power Meters And much more!!
© Copyright 2011 yaSSL
![Page 29: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/29.jpg)
Overview of SSL / TLS
E. SSL in MySQL? - Your system must support either OpenSSL or yaSSL - MySQL must be built with SSL support Note: MySQL is bundled with yaSSL
© Copyright 2011 yaSSL
![Page 30: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/30.jpg)
Overview of SSL / TLS
Checking for SSL • Confirm that user in 'mysql' database includes SSL-related columns: - Beginning with: ssl_, x509_ • Check if binary is compiled with SSL support: shell> mysqld --ssl --help 060525 14:18:52 [ERROR] mysqld: unknown option '--ssl' • mysqld: Check for 'have_ssl' system variable
© Copyright 2011 yaSSL
![Page 31: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/31.jpg)
Overview of SSL / TLS
Configure MySQL to use the built-in SSL (yaSSL): shell> cmake . -DWITH_SSL=bundled -DWITH_SSL options: no: No SSL support (default) yes: Use system SSL library if present, else bundled library bundled: SSL library bundled with distro (yaSSL) system: Use the system SSL library ** yaSSL on Unix requires /dev/urandom and /dev/random to be available
© Copyright 2011 yaSSL
![Page 32: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/32.jpg)
Overview of SSL / TLS
To allow client connections through SSL, start MySQL with the appropriate options: shell> mysqld_safe --user=mysql \ --ssl-ca=ca-cert.pem \ --ssl-cert=server-cert.pem \ --ssl-key=server-key.pem --ssl-ca: Identifies the certificate authority certificate --ssl-cert: identifies the server public key --ssl-key: identifies the server private key
© Copyright 2011 yaSSL
![Page 33: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/33.jpg)
Overview of SSL / TLS
Client connecting securely: I. Account created with GRANT statement including REQUIRE_SSL: shell> mysql -u user -p --ssl-ca=ca-cert.pem II. Account created with REQUIRE_X509 in addition: shell> mysql -u user -p --ssl-ca=ca-cert.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem
© Copyright 2011 yaSSL
![Page 34: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/34.jpg)
MySQL SSL Command Options
© Copyright 2011 yaSSL
Name Cmd-‐Line Op1on File System Var Var Scope Dynamic
have_openssl Yes Global No have_ssl Yes Global No skip-‐ssl Yes Yes ssl Yes Yes ssl-‐ca Yes Yes Global No ssl-‐capath Yes Yes Global No ssl-‐cert Yes Yes Global No ssl-‐cipher Yes Yes Global No ssl-‐key Yes Yes Global No
ssl-‐verify-‐server-‐cert Yes Yes
hbp://dev.mysql.com/doc/refman/5.5/en/ssl-‐opWons.html
![Page 35: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/35.jpg)
MySQL SSL Command Options
have_openssl have_ssl
YES = mysqld supports SSL connections DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)
Check: SHOW VARIABLES LIKE 'have%ssl';
© Copyright 2011 yaSSL
![Page 36: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/36.jpg)
MySQL SSL Command Options
skip-ssl
Indicate that SSL should not be used Same as using --ssl=0
ssl
Server: Specifies that the server permits SSL connections Client: Permits a client to connect to server using SSL
© Copyright 2011 yaSSL
![Page 37: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/37.jpg)
MySQL SSL Command Options
ssl-ca
The path to the file containing list of trusted CAs ssl-capath
The path to a directory containing trusted CAs (PEM format)
© Copyright 2011 yaSSL
![Page 38: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/38.jpg)
MySQL SSL Command Options
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL
--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
© Copyright 2011 yaSSL
![Page 39: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/39.jpg)
MySQL SSL Command Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only - Server's Common Name verified against server host name - Connection rejected if no match
© Copyright 2011 yaSSL
![Page 40: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/40.jpg)
SSL Certificate Creation
A. Generating Certificates 1. Create CA certificate (private key, public cert) 2. Create server key 3. Create server certificate 4. Create client key 5. Create client certificate
© Copyright 2011 yaSSL
![Page 41: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/41.jpg)
SSL Certificate Creation
A. Generating Certificates Create CA certificate (private key, public cert) shell> openssl genrsa 2048 > ca-key.pem shell> openssl req -new -x509 -nodes -days 1000 \ -key ca-key.pem > ca-cert.pem
© Copyright 2011 yaSSL
![Page 42: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/42.jpg)
SSL Certificate Creation
A. Generating Certificates Create server key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout server-key.pem > server-req.pem shell> openssl x509 -req -in server-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
© Copyright 2011 yaSSL
![Page 43: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/43.jpg)
SSL Certificate Creation
A. Generating Certificates Create client key and certificate shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout client-key.pem > client-req.pem shell> openssl x509 -req -in client-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
© Copyright 2011 yaSSL
![Page 44: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/44.jpg)
SSL Certificate Creation
A. Generating Certificates Remove passphrase from client/server key: shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem
© Copyright 2011 yaSSL
![Page 45: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/45.jpg)
Performance Comparison of SSL
Test Machine MacBook Pro 2.33 GHz 2 GB 667 MHz DDR2 SDRAM Mac OS X 10.6.6 (Snow Leopard)
© Copyright 2011 yaSSL
![Page 46: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/46.jpg)
Performance Comparison of SSL
Footprint Size
© Copyright 2011 yaSSL
![Page 47: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/47.jpg)
Performance Comparison of SSL
Command: du -sh . Result: 5.3% Difference
© Copyright 2011 yaSSL
239 227
0
50
100
150
200
250
300
Size (M
b)
MySQL Footprint Size SSL vs. No SSL
SSL No SSL
![Page 48: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/48.jpg)
Performance Comparison of SSL
Command: du -sh *
© Copyright 2011 yaSSL
86
13
79
9.2
0
10
20
30
40
50
60
70
80
90
100
bin lib
Size (M
b)
MySQL Footprint Comparison (Detail) SSL vs. No SSL
SSL No SSL
![Page 49: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/49.jpg)
Performance Comparison of SSL
Average Query Times
(SELECT Queries, sysbench)
© Copyright 2011 yaSSL
![Page 50: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/50.jpg)
Performance Comparison of SSL
© Copyright 2011 yaSSL
0
0.5
1
1.5
2
2.5
3
3.5
0 5 10 15 20 25 30 35
Average Que
ry Tim
e (m
s)
Concurrency (# of Client Connec1ons)
MySQL Average SELECT Query Times No SSL vs. SSL
100,000 Requests sysbench
No SSL
SSL
![Page 51: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/51.jpg)
Performance Comparison of SSL
© Copyright 2011 yaSSL
0.1 0.1 0.21
0.65
1.33
2.67
0.14 0.14 0.29
0.76
1.62
3.32
1 2 4 8 16 32 Concurrency (# of Client Connec1ons)
MySQL Average SELECT Query Times (ms) No SSL vs. SSL
100,000 Requests sysbench
No SSL SSL
![Page 52: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/52.jpg)
0.65
0.76
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
Average Que
ry Tim
e (m
s)
Client Concurrency = 8
MySQL Average SELECT Query Times No SSL vs. SSL
100,000 Requests sysbench
No SSL SSL
Performance Comparison of SSL
16.9% Difference
© Copyright 2011 yaSSL
![Page 53: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/53.jpg)
Part III Additional Security
Concerns
© Copyright 2011 yaSSL
Data EncrypWon
![Page 54: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/54.jpg)
Data Storage and Encryption
A. Why should you be interested in this? • Corporate networks are becoming increasingly open to the outside
• Network is regarded as being inherently insecure • Encrypting data is the best option
"Last Line of Defense" • Data exposure can be costly, damaging, embarrassing
© Copyright 2011 yaSSL
![Page 55: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/55.jpg)
Data Storage and Encryption
B. Client Side Encryption • Encrypt data in code before it is passed to MySQL • Many encryption modules available (PHP, Perl, etc.)
Advantages • Data encrypted between code & MySQL • Allows the use of bin logging (MySQL backup/replication)
Disadvantages • What to do with the key?
© Copyright 2011 yaSSL
![Page 56: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/56.jpg)
Data Storage and Encryption
C. Server Side Encryption • AES_ENCRYPT(), AES_DECRYPT() functions
- AES-128 Default - AES-256 w/ source-code change • Entire Disk Encryption
• Transparent Data Encryption (Gazzang ezNcrypt)
© Copyright 2011 yaSSL
![Page 57: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/57.jpg)
Data Storage and Encryption
Gazzang ezNcrypt • ezNcrypt sits between your storage engine and file system to encrypt your data before
it hits the disk.
• TradiWonally called -‐ Transparent Data EncrypWon (TDE) – The data is encrypted transparently, no changes are needed to your applicaWon,
code or MySQL.
© Copyright 2011 yaSSL
Table Orders 20090101,4307
Applica1on SQL “insert into orders (number, credit card,….) Values (20090101,4307,…)”
File System orders.myd 9f7c7d77a877fg8e78s09ab
![Page 58: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/58.jpg)
Data Storage and Encryption
Gazzang ezNcrypt Addresses Problems such as
-‐ Unauthorized abempts to read data off the database files, like SSN, Credit Card numbers or phone numbers
-‐ The# of the data files and intellectual property -‐ Tampering of data, directly modifying values in files -‐ ProtecWon of tapes, backups and Data at Rest -‐ ProtecWng disks in the case the physical hardware is stolen or incorrectly
disposed
© Copyright 2011 yaSSL
![Page 59: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/59.jpg)
Data Storage and Encryption
Gazzang ezNcrypt ezNcrypt Database ProtecWon • The database is protected from all OS users • Any user including root that does not have the key cannot unlock the data.
• The MySQL process is the only authorized to retrieve the Key to unlock the database data
© Copyright 2011 yaSSL
File System orders.myd 9f7c7d77a877fg8e78s09ab
![Page 60: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/60.jpg)
Data Storage and Encryption
Gazzang ezNcrypt
• Gazzang Key Storage System (KSS)
© Copyright 2011 yaSSL
![Page 61: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/61.jpg)
Data Storage and Encryption
C. Server Side Encryption Advantages: • Data is stored encrypted • Easy to use
Disadvantages: • bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
• What to do with the key?
© Copyright 2011 yaSSL
![Page 62: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/62.jpg)
Part IV Wrap-Up
© Copyright 2011 yaSSL
Licensing Concerns About yaSSL
![Page 63: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/63.jpg)
Licensing Concerns
A. yaSSL vs. OpenSSL - OpenSSL uses BSD-style license with announcement clause - Makes it incompatible with GPL - yaSSL = dual licensed (GPL, Commercial) B. FLOSS Exception - Permits GPL library to be used with FLOSS application
“Free/Libre and Open Source Software”
© Copyright 2011 yaSSL
![Page 64: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/64.jpg)
yet another SSL (yaSSL)
Founded: 2004 Location: Bozeman, Seattle, Portland Our Focus: Open Source Embedded Security for Devices Products: - CyaSSL, yaSSL
- yaSSL Embedded Web Server
© Copyright 2011 yaSSL
![Page 65: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/65.jpg)
Conclusion
Part I: MySQL Security 1. Common Attacks & Vulnerabilities 2. Good Security Practices & Policies for MySQL
Part II: SSL/TLS
1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison
Part III: Additional Security Concerns
1. Data Storage and Encryption
© Copyright 2011 yaSSL
![Page 66: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/66.jpg)
http://www.yassl.com
Email: [email protected] [email protected]
Phone: (206) 369-‐4800
Thanks!
© Copyright 2011 yaSSL
![Page 67: Securing MySQL](https://reader033.vdocuments.site/reader033/viewer/2022050914/5868ce501a28ab39568bbf4f/html5/thumbnails/67.jpg)
Helpful Sources
MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html
MySQL Security Resources around the Internet
http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS
https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security
© Copyright 2011 yaSSL