database security david nguyen. dangers of internet web based applications open up new threats to a...
TRANSCRIPT
![Page 1: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/1.jpg)
Database Security
David Nguyen
![Page 2: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/2.jpg)
Dangers of Internet
Web based applications open up new threats to a corporation security
Protection of information is critical to success of a business
![Page 3: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/3.jpg)
Analyzing the threat
Internet access Port access Server access Network access
![Page 4: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/4.jpg)
Internet access
If hackers can guess the IP address of a server, they can telnet to the server and get a login prompt. At this point, all they need is a user ID and password to gain access to the server
![Page 5: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/5.jpg)
Port access
All Web applications are configured to listen on a predefined port for incoming connections, and they generally use a listener daemon process to poll for connections.
![Page 6: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/6.jpg)
Server access
A four-tiered Web application incorporates a series of Web servers, application servers, and database servers. Each of these servers presents a potential point of entry, and if remote shell access is enabled, a hacker that gets access to a single database may get access to many servers.
![Page 7: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/7.jpg)
![Page 8: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/8.jpg)
Network access
OracleNet, as an example, allows for incoming connect strings to the Oracle listener process. If hackers know the port, IP address, Oracle ID, and password, they can gain direct access to the database.
![Page 9: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/9.jpg)
Countermeasures
Restricting server access Server account disabling Trusted IP addresses Restricting database access Authentication of users
![Page 10: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/10.jpg)
Restricting server access
Some companies use domain servers to restrict server access to specified users. However, hackers still might intercept user IDs and passwords. To prevent this, many companies employ tools that utilise secure shell (ssh) technologies to encrypt external Internet communications.
![Page 11: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/11.jpg)
Trusted IP addresses
UNIX servers are configured to answer only pings from a list of “trusted” hosts. In UNIX, one can restrict server access to a list of specific users
![Page 12: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/12.jpg)
Server account disabling
If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
![Page 13: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/13.jpg)
Authentication of users
Kerberos security Virtual private databases Role-based security Grant-execute security Port access security
![Page 14: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/14.jpg)
Kerberos security
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography
![Page 15: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/15.jpg)
Virtual private databases
VPD technology can restrict access to selected rows of tables
![Page 16: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/16.jpg)
Role-based security
Object privileges can be grouped into roles, which can then be assigned to specific users
![Page 17: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/17.jpg)
Grant-execute security
Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure
![Page 18: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/18.jpg)
Port access security
All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access
![Page 19: Database Security David Nguyen. Dangers of Internet Web based applications open up new threats to a corporation security Protection of information](https://reader030.vdocuments.us/reader030/viewer/2022013004/5697bfbd1a28abf838ca1bca/html5/thumbnails/19.jpg)
Conclusion
Allowing outside access to critical applications creates vulnerabilities to a company’s security
These threats need to be dealt with due to the importance of the information