SlideShare a Scribd company logo
Securing Production
Deployments
Security
threats
best
practices
“The majority of the HTTP attacks were made to PHPMyadmin, a popular
MySQL and MariaDB remote management system. Many web content
management systems, not to mention WordPress, rely on these these
databases. Vulnerable WordPress plugins were also frequently attacked.
Mind you, this was on a system that even in honeypot mode hadn't emitted
a single packet towards the outside world.”
ZDNet - Jan 23rd 2018
Threats
Viruses
Hacker attacks
Software spoofing
Defense
• Do not allow TCP connections to
MariaDB from the Internet at large.
• Configure MariaDB to listen on
a network interface that is only
accessible from the host where
your application runs.
• Design your physical network to
connect the app to MariaDB
• Use bind-address to bind to
a specific network interface
• Use your OS’s firewall
• Keep your OS patched
The Internet
Threats
Denial of Service
Attacks created by
overloading application
SQL query
injection attacks
Defense
• Do not run your application
on your MariaDB Server.
• Do not install unnecessary packages
on your MariaDB Server.
• An overloaded application can use so
much memory that MariaDB could
slow or even be killed by the OS. This is
an effective DDoS attack vector.
• A compromised application or service
can have many serious side effects
– Discovery of MariaDB credentials
– Direct access to data
– Privilege escalation
Applications
Threats
• Disgruntled employees
• Mistakes and human error
Defense
• Limit users who have:
– SSH access to your MariaDB server.
– Sudo privileges on your MariaDB server.
• Set the secure_file_priv option to ensure
that users with the FILE privilege cannot
write or read MariaDB data or important
system files.
• Do not run MariaDB process (mysqld) as
root
• Avoid wide hostname wildcards (“%”), use
specific host names / IP addresses
Excessive Trust
Threats
• Disgruntled employees
• Mistakes and human error
Defense
• Do not use the MariaDB “root”
user for application access.
• Grant only the privileges required
by your application.
• Minimize the privileges granted
to the MariaDB user accounts used
by your applications
– Don’t grant CREATE or
DROP privileges.
– Don’t grant the FILE privilege.
– Don’t grant the SUPER privilege.
– Don’t grant access to the
mysql database
Excessive Trust
MariaDB
MaxScale
Security
Features
MariaDB MaxScale Concept
DATABASE
SERVERS
MASTER
SLAVES
Binlog Cache
Insulates client applications
from the complexities
of backend database cluster
Simplify replication
from database
to other databases
CLIENT
PROTOCOL SUPPORT
AUTHENTICATION
PARSING
DATABASE MONITORING
LOAD BALANCING & ROUTING
QUERY TRANSFORMATION & LOGGING
Flexible, easy to
write plug-ins for
Generic Core
MULTI-THREADED
E-POLL BASED
STATELESS
SHARES THE THREAD POOL
MariaDB
Security
Features
Password Validation
Simple_password_check
plugin
Enforce a minimum
password
length and type/number of
characters to be used
External Authentication
Single Sign On is getting
mandatory in most Enterprises.
PAM-Authentication Plugin
allows using /etc/shadow and any
PAM based authentication like LDAP
Kerberos-Authentication as a
standardized network authentication
protocol is provided GSSAPI based on
UNIX and SSPI based on Windows
Applications
MariaDB PAM Authentication
GSS-API on Linux
• Red Hat
Directory Server
• OpenLDAP
SSPI on Windows
• Active DirectoryKDC Client MariaDB
2
3
4
1
Ticket
request
Service
ticket
Here is my
service ticket,
authenticate me
Client /
server
session
MariaDB Role Based Access Control
DBA
Developer
Sysadmin
Database
Tables
MariaDB 10
Role: DBA
Permissions:
• Update Schema
• View Statistics
• Create Database
Secured Connections
SSL Connections based on
the TLSv1.2 Protocol
Between MariaDB
Connectors and Server
Between MariaDB
Connectors and MaxScale
SSL can also be enabled
for the replication channel
External Authentication
Selective
Data-At-Rest
Encryption
Application control
of data encryption
Based on the AES
(Advanced Encryption
Standard) or DES
(Data Encryption
Standard) algorithm
Encryption for Data in Motion
Data-at-Rest
Encryption
• Everything:
– Tables or tablespaces
– Log files
• Independent of encryption
capabilities of applications
• Based on encryption keys,
key ids, key rotation and
key versioning
Key
Management
Services
• Encryption plugin API offers choice
– Plugin to implement
the data encryption
– Manage encryption Keys
• MariaDB Enterprise options
– Simple Key Management included
– Amazon AWS KMS Plugin included
– Eperi KMS for on premise key
management – optional
Encryption for Data Rest
Attack Protection with MariaDB MaxScale
Database Firewall Denial of Service Attack
Protection
• MariaDB MaxScale
Persistent Connections
• Connection pooling protects
against connection surges
• Cache the connections from
MaxScale to the database server
• Rate limitation
• Client multiplexing
• Protects against SQL injection
• Prevents unauthorized user
access and data damage
• White-list or Black-list Queries
– Queries that match a set of rules
– Queries matching rules
for specified users
– Queries that match certain
patterns, columns, statement types
• Multiple ordered rule
Server Overload Protection with MaxScale
• Server overload protection
– Persistent connection pool to backend
database
– Client connection limitation
– DB firewall - limit_queries
Network Overload Protection with MaxScale
• Network overload protection
– Max rows limit
– Max result size limit
– DB firewall - limit_queries
1
3
4
5
2
What is SQL Injection?
• A kind of web application attack, where user-supplied input comes from:
URL – www.app.com?id=1
Forms – email=a@app.com
Other elements – e.g., cookies, HTTP headers
and is manipulated so that a vulnerable application executes SQL commands injected by
attacker.
• Applications vulnerable to SQL injection:
– Incorrect type handling
– Incorrectly filtered escape characters
– Blind SQL injection
– Second order SQL injection
SELECT * from customer WHERE id = ?
User supplied value for id = 5, injected value is string ‘5 OR 1=1’
SELECT * from customer WHERE id = 5 OR 1=1
This will result in application getting access to entire customer
table instead of just the specific customer
What is SQL Injection?
How to Protect from SQL Injection
● Whitelist input parameters and queries
○ SELECT * from userinfo where userid = ?
○ If user id is a valid number between 1 and 100, look
for values [1,100]
○ If userid is an alphanumeric string, look for values
[a-zA-Z0-9]*$
○ Queries that match certain regular expressions
● Limitation
○ For free-form text fields, not easy to map to a subset
■ i.e., an input parameter for description of an item
○ As application and database evolves, whitelist needs
to be kept up to date
● Blacklist keywords and queries
○ DROP, DELETE, INSERT, GRANT
○ All Select queries with wildcard in FROM clause
○ All queries with “1=1” in WHERE clause
○ Queries that match certain regular expression
● Limitation
○ DBAs wanting to do valid operations may be
blocked from doing such operations
○ For certain search field, blacklisted keywords
such as DROP (drop clothe), GRANT (‘The boy
named Grant’) are actually valid input parameter
values
QUERY FAILED: 1141
ERROR: Required
WHERE/HAVING clause is missing
rule safe_select deny
no_where_clause
on_queries select
rule safe_cust_select deny
regex '.*from.*customers.*'
user %app-user@% match
all rules safe_cust_select
safe_select
Maxscale Database Firewall
DATABASE FIREWALL FILTER
SELECT * FROM CUSTOMERS;
MaxScale
Database Servers
1
2
3
Database Firewall Filter
Allow/Block queries that
MATCH A SET OF RULES
MATCH RULES FOR SPECIFIC USERS
MATCH ON
• date/time
• a WHERE clause
• query type
• column match
• a wildcard or regular expression or function name
Protect against SQL injection
Prevent unauthorized data access
Prevent data damage
Function name blocking - New in 2.2
[Connection Service1]
type=service
router=readconnroute
servers=server1
user=maxuser
passwd=maxpwd
filters=MyDBFirewall
[MyDBFirewall]
type=filter
module=dbfwfilter
rules=/home/user/myrules.txt
Query Blocking Example
MaxScale Whitelisting
• Allows only those queries that
• match a set of rules
• match rules for specific users
• match certain patterns
• multiple ordered rules
– Match on
• date/time
• a WHERE clause
• query type
• column match
• a wildcard or regular expression
Data Masking with MaxScale
SELECT Name, creditcardNum, balance
FROM customerTbl
WHERE id=1001
Name creditcardNum balance
---------------------------------------
John Smith xxxxxx9901 1201.07
Database Servers
Client
HIPPA/PCI/GDPR Requirement:
• Selective Data Masking by column
• Full or partial anonymization
– 4448889901 ⇒ xxxxxx9901
• Pseudo-anonymization
– Column values randomized,
however same value in multiple
rows randomizes to same
string
DATABASE NAME,
TABLE NAME CLASSIFIER
MAY BE PROVIDED
• commerceDb.customerTbl.creditcardNum
• customerTbl.creditcardNum
• credicardNum
Pseudo-anonymization - New in 2.2
Best Practices
Summary
Best Practices
USER MANAGEMENT
Use OS permissions to
restrict access
to MariaDB data
and backups
Use strong
passwords
Allow root access to
MariaDB only from local
clients—no
administrative access
over the network
Use a separate
MariaDB user account
for each of your
applications
Use the unix_socket
authentication plugin so
that only the OS root
user can connect as the
MariaDB root user
Allow access
from a minimal
set of IP addresses
Best Practices
ENCRYPTION
Encrypt some
data in the
application
Encrypt data
at rest
Non-key data
Credit card numbers, PII etc
Encrypt data in
transit using SSL
From clients to
MariaDB MaxScale
From clients to MariaDB
Between MariaDB
replicated servers
InnoDB tablespace encryption
InnoDB redo log encryption
Binary log encryption
Best Practices
Using MaxScale
Restrict the
operations
that clients
(applications)
are allowed
to perform
Identify
and flag
potentially
dangerous
queries
Customize
rules about
what’s
allowed and
what’s not
Use MariaDB
MaxScale as
a Database
Firewall
Implement
connection
pooling
capabilities
can protect
against DDoS
attacks
Best Practices
AUDITING
Ensure regulatory
compliance with
robust logging
Use MariaDB
Audit Plugin
Record
connections,
query executions,
and tables
accessed
Use logs for forensic
analysis after an incident
Logging either to a file or
to syslog
MariaDB Security Gets Stronger
All the Time
MariaDB User Community
Quickly
identifies new
threats
Creates
solutions
Reports
vulnerabilities
Contributes
features
Thank you
How MaxScale Protects from DDoS
• Server overload protection
– Client connection limitation
– Persistent connections
– DB firewall - limit_queries
• Network overload protection
– Max rows limit (2.1)
– Max result size limit (2.1)
– DB firewall - limit_queries

More Related Content

What's hot (20)

PDF
Nosql data models
Viet-Trung TRAN
 
PPTX
What is NoSQL and CAP Theorem
Rahul Jain
 
PDF
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
PPTX
An Enterprise Architect's View of MongoDB
MongoDB
 
PPTX
Data Modeling for NoSQL
Tony Tam
 
PPTX
MongoDB San Francisco 2013: Storing eBay's Media Metadata on MongoDB present...
MongoDB
 
PPTX
Jumpstart: MongoDB BI Connector & Tableau
MongoDB
 
PPTX
MongoDB in a Mainframe World
MongoDB
 
PDF
SQL Server 2017 Enhancements You Need To Know
Quest
 
PDF
Big Challenges in Data Modeling: NoSQL and Data Modeling
DATAVERSITY
 
PPTX
Mongodb vs mysql
hemal sharma
 
PPTX
MongoDB as a Data Warehouse: Time Series and Device History Data (Medtronic)
MongoDB
 
PPTX
MongoDB and RDBMS: Using Polyglot Persistence at Equifax
MongoDB
 
PPTX
MongoDB Evenings Minneapolis: Medtronic's MongoDB Journey
MongoDB
 
PPTX
Coming to cassandra from relational world (New)
Nenad Bozic
 
PDF
Strata+Hadoop World NY 2016 - Avinash Ramineni
Avinash Ramineni
 
PDF
SQL vs. NoSQL Databases
Osama Jomaa
 
PPT
5 Data Modeling for NoSQL 1/2
Fabio Fumarola
 
PPTX
Microsoft azure documentDB
Mohamed Elkhodary
 
PPTX
Key-Value NoSQL Database
Heman Hosainpana
 
Nosql data models
Viet-Trung TRAN
 
What is NoSQL and CAP Theorem
Rahul Jain
 
Webinar: 10-Step Guide to Creating a Single View of your Business
MongoDB
 
An Enterprise Architect's View of MongoDB
MongoDB
 
Data Modeling for NoSQL
Tony Tam
 
MongoDB San Francisco 2013: Storing eBay's Media Metadata on MongoDB present...
MongoDB
 
Jumpstart: MongoDB BI Connector & Tableau
MongoDB
 
MongoDB in a Mainframe World
MongoDB
 
SQL Server 2017 Enhancements You Need To Know
Quest
 
Big Challenges in Data Modeling: NoSQL and Data Modeling
DATAVERSITY
 
Mongodb vs mysql
hemal sharma
 
MongoDB as a Data Warehouse: Time Series and Device History Data (Medtronic)
MongoDB
 
MongoDB and RDBMS: Using Polyglot Persistence at Equifax
MongoDB
 
MongoDB Evenings Minneapolis: Medtronic's MongoDB Journey
MongoDB
 
Coming to cassandra from relational world (New)
Nenad Bozic
 
Strata+Hadoop World NY 2016 - Avinash Ramineni
Avinash Ramineni
 
SQL vs. NoSQL Databases
Osama Jomaa
 
5 Data Modeling for NoSQL 1/2
Fabio Fumarola
 
Microsoft azure documentDB
Mohamed Elkhodary
 
Key-Value NoSQL Database
Heman Hosainpana
 

Similar to Securing data and preventing data breaches (20)

PDF
Securing data and preventing data breaches
MariaDB plc
 
PDF
Securing data and preventing data breaches
MariaDB plc
 
PDF
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
PDF
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
PDF
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
PDF
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
PDF
Using MariaDB TX and MaxScale to meet GDPR - #OPEN18
Kangaroot
 
PDF
Uso de MariaDB TX y MaxScale para el cumplimiento de GDPR
MariaDB plc
 
PDF
Database Security Threats — MariaDB Security Best Practices
MariaDB plc
 
PDF
MariaDB Security Best Practices
Federico Razzoli
 
PDF
MariaDB MaxScale
MariaDB plc
 
PDF
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
 
PDF
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Colin Charles
 
PDF
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
PDF
MariaDB Server & MySQL Security Essentials 2016
Colin Charles
 
PDF
MySQL server security
Damien Seguy
 
PPTX
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
 
PDF
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
PDF
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Colin Charles
 
PDF
MySQL 8.0 - Security Features
Harin Vadodaria
 
Securing data and preventing data breaches
MariaDB plc
 
Securing data and preventing data breaches
MariaDB plc
 
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Database Security Threats - MariaDB Security Best Practices
MariaDB plc
 
Using MariaDB TX and MaxScale to meet GDPR - #OPEN18
Kangaroot
 
Uso de MariaDB TX y MaxScale para el cumplimiento de GDPR
MariaDB plc
 
Database Security Threats — MariaDB Security Best Practices
MariaDB plc
 
MariaDB Security Best Practices
Federico Razzoli
 
MariaDB MaxScale
MariaDB plc
 
Safety LAMP: data security & agile languages
PostgreSQL Experts, Inc.
 
Meet MariaDB Server 10.1 London MySQL meetup December 2015
Colin Charles
 
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
MariaDB Server & MySQL Security Essentials 2016
Colin Charles
 
MySQL server security
Damien Seguy
 
The Spy Who Loathed Me - An Intro to SQL Server Security
Chris Bell
 
How to Manage Scale-Out Environments with MariaDB MaxScale
MariaDB plc
 
Better encryption & security with MariaDB 10.1 & MySQL 5.7
Colin Charles
 
MySQL 8.0 - Security Features
Harin Vadodaria
 
Ad

More from MariaDB plc (20)

PDF
MariaDB Berlin Roadshow Slides - 8 April 2025
MariaDB plc
 
PDF
MariaDB München Roadshow - 24 September, 2024
MariaDB plc
 
PDF
MariaDB Paris Roadshow - 19 September 2024
MariaDB plc
 
PDF
MariaDB Amsterdam Roadshow: 19 September, 2024
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - MaxScale 23.02.x
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - Newpharma
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - Cloud
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - MariaDB Enterprise
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - MaxScale
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - novadys presentation
MariaDB plc
 
PDF
MariaDB Paris Workshop 2023 - DARVA presentation
MariaDB plc
 
PDF
MariaDB Tech und Business Update Hamburg 2023 - MariaDB Enterprise Server
MariaDB plc
 
PDF
MariaDB SkySQL Autonome Skalierung, Observability, Cloud-Backup
MariaDB plc
 
PDF
Einführung : MariaDB Tech und Business Update Hamburg 2023
MariaDB plc
 
PDF
Hochverfügbarkeitslösungen mit MariaDB
MariaDB plc
 
PDF
Die Neuheiten in MariaDB Enterprise Server
MariaDB plc
 
PDF
Global Data Replication with Galera for Ansell Guardian®
MariaDB plc
 
PDF
Introducing workload analysis
MariaDB plc
 
PDF
Under the hood: SkySQL monitoring
MariaDB plc
 
MariaDB Berlin Roadshow Slides - 8 April 2025
MariaDB plc
 
MariaDB München Roadshow - 24 September, 2024
MariaDB plc
 
MariaDB Paris Roadshow - 19 September 2024
MariaDB plc
 
MariaDB Amsterdam Roadshow: 19 September, 2024
MariaDB plc
 
MariaDB Paris Workshop 2023 - MaxScale 23.02.x
MariaDB plc
 
MariaDB Paris Workshop 2023 - Newpharma
MariaDB plc
 
MariaDB Paris Workshop 2023 - Cloud
MariaDB plc
 
MariaDB Paris Workshop 2023 - MariaDB Enterprise
MariaDB plc
 
MariaDB Paris Workshop 2023 - Performance Optimization
MariaDB plc
 
MariaDB Paris Workshop 2023 - MaxScale
MariaDB plc
 
MariaDB Paris Workshop 2023 - novadys presentation
MariaDB plc
 
MariaDB Paris Workshop 2023 - DARVA presentation
MariaDB plc
 
MariaDB Tech und Business Update Hamburg 2023 - MariaDB Enterprise Server
MariaDB plc
 
MariaDB SkySQL Autonome Skalierung, Observability, Cloud-Backup
MariaDB plc
 
Einführung : MariaDB Tech und Business Update Hamburg 2023
MariaDB plc
 
Hochverfügbarkeitslösungen mit MariaDB
MariaDB plc
 
Die Neuheiten in MariaDB Enterprise Server
MariaDB plc
 
Global Data Replication with Galera for Ansell Guardian®
MariaDB plc
 
Introducing workload analysis
MariaDB plc
 
Under the hood: SkySQL monitoring
MariaDB plc
 
Ad

Recently uploaded (20)

PPTX
Climate Action.pptx action plan for climate
justfortalabat
 
PDF
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Alla...
apidays
 
DOCX
AI/ML Applications in Financial domain projects
Rituparna De
 
PPTX
recruitment Presentation.pptxhdhshhshshhehh
devraj40467
 
PDF
How to Connect Your On-Premises Site to AWS Using Site-to-Site VPN.pdf
Tamanna
 
PDF
Context Engineering vs. Prompt Engineering, A Comprehensive Guide.pdf
Tamanna
 
PPTX
The _Operations_on_Functions_Addition subtruction Multiplication and Division...
mdregaspi24
 
PPTX
Rocket-Launched-PowerPoint-Template.pptx
Arden31
 
PDF
2_Management_of_patients_with_Reproductive_System_Disorders.pdf
motbayhonewunetu
 
PDF
Choosing the Right Database for Indexing.pdf
Tamanna
 
PPT
Lecture 2-1.ppt at a higher learning institution such as the university of Za...
rachealhantukumane52
 
PPTX
AI Presentation Tool Pitch Deck Presentation.pptx
ShyamPanthavoor1
 
PDF
Web Scraping with Google Gemini 2.0 .pdf
Tamanna
 
PDF
MusicVideoProjectRubric Animation production music video.pdf
ALBERTIANCASUGA
 
PPTX
Resmed Rady Landis May 4th - analytics.pptx
Adrian Limanto
 
PDF
Data Chunking Strategies for RAG in 2025.pdf
Tamanna
 
PDF
apidays Helsinki & North 2025 - REST in Peace? Hunting the Dominant Design fo...
apidays
 
PDF
How to Avoid 7 Costly Mainframe Migration Mistakes
JP Infra Pvt Ltd
 
PPTX
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, ...
apidays
 
PDF
R Cookbook - Processing and Manipulating Geological spatial data with R.pdf
OtnielSimopiaref2
 
Climate Action.pptx action plan for climate
justfortalabat
 
apidays Helsinki & North 2025 - Monetizing AI APIs: The New API Economy, Alla...
apidays
 
AI/ML Applications in Financial domain projects
Rituparna De
 
recruitment Presentation.pptxhdhshhshshhehh
devraj40467
 
How to Connect Your On-Premises Site to AWS Using Site-to-Site VPN.pdf
Tamanna
 
Context Engineering vs. Prompt Engineering, A Comprehensive Guide.pdf
Tamanna
 
The _Operations_on_Functions_Addition subtruction Multiplication and Division...
mdregaspi24
 
Rocket-Launched-PowerPoint-Template.pptx
Arden31
 
2_Management_of_patients_with_Reproductive_System_Disorders.pdf
motbayhonewunetu
 
Choosing the Right Database for Indexing.pdf
Tamanna
 
Lecture 2-1.ppt at a higher learning institution such as the university of Za...
rachealhantukumane52
 
AI Presentation Tool Pitch Deck Presentation.pptx
ShyamPanthavoor1
 
Web Scraping with Google Gemini 2.0 .pdf
Tamanna
 
MusicVideoProjectRubric Animation production music video.pdf
ALBERTIANCASUGA
 
Resmed Rady Landis May 4th - analytics.pptx
Adrian Limanto
 
Data Chunking Strategies for RAG in 2025.pdf
Tamanna
 
apidays Helsinki & North 2025 - REST in Peace? Hunting the Dominant Design fo...
apidays
 
How to Avoid 7 Costly Mainframe Migration Mistakes
JP Infra Pvt Ltd
 
apidays Munich 2025 - Building an AWS Serverless Application with Terraform, ...
apidays
 
R Cookbook - Processing and Manipulating Geological spatial data with R.pdf
OtnielSimopiaref2
 

Securing data and preventing data breaches

  • 3. “The majority of the HTTP attacks were made to PHPMyadmin, a popular MySQL and MariaDB remote management system. Many web content management systems, not to mention WordPress, rely on these these databases. Vulnerable WordPress plugins were also frequently attacked. Mind you, this was on a system that even in honeypot mode hadn't emitted a single packet towards the outside world.” ZDNet - Jan 23rd 2018
  • 4. Threats Viruses Hacker attacks Software spoofing Defense • Do not allow TCP connections to MariaDB from the Internet at large. • Configure MariaDB to listen on a network interface that is only accessible from the host where your application runs. • Design your physical network to connect the app to MariaDB • Use bind-address to bind to a specific network interface • Use your OS’s firewall • Keep your OS patched The Internet
  • 5. Threats Denial of Service Attacks created by overloading application SQL query injection attacks Defense • Do not run your application on your MariaDB Server. • Do not install unnecessary packages on your MariaDB Server. • An overloaded application can use so much memory that MariaDB could slow or even be killed by the OS. This is an effective DDoS attack vector. • A compromised application or service can have many serious side effects – Discovery of MariaDB credentials – Direct access to data – Privilege escalation Applications
  • 6. Threats • Disgruntled employees • Mistakes and human error Defense • Limit users who have: – SSH access to your MariaDB server. – Sudo privileges on your MariaDB server. • Set the secure_file_priv option to ensure that users with the FILE privilege cannot write or read MariaDB data or important system files. • Do not run MariaDB process (mysqld) as root • Avoid wide hostname wildcards (“%”), use specific host names / IP addresses Excessive Trust
  • 7. Threats • Disgruntled employees • Mistakes and human error Defense • Do not use the MariaDB “root” user for application access. • Grant only the privileges required by your application. • Minimize the privileges granted to the MariaDB user accounts used by your applications – Don’t grant CREATE or DROP privileges. – Don’t grant the FILE privilege. – Don’t grant the SUPER privilege. – Don’t grant access to the mysql database Excessive Trust
  • 9. MariaDB MaxScale Concept DATABASE SERVERS MASTER SLAVES Binlog Cache Insulates client applications from the complexities of backend database cluster Simplify replication from database to other databases CLIENT PROTOCOL SUPPORT AUTHENTICATION PARSING DATABASE MONITORING LOAD BALANCING & ROUTING QUERY TRANSFORMATION & LOGGING Flexible, easy to write plug-ins for Generic Core MULTI-THREADED E-POLL BASED STATELESS SHARES THE THREAD POOL
  • 11. Password Validation Simple_password_check plugin Enforce a minimum password length and type/number of characters to be used External Authentication Single Sign On is getting mandatory in most Enterprises. PAM-Authentication Plugin allows using /etc/shadow and any PAM based authentication like LDAP Kerberos-Authentication as a standardized network authentication protocol is provided GSSAPI based on UNIX and SSPI based on Windows Applications
  • 12. MariaDB PAM Authentication GSS-API on Linux • Red Hat Directory Server • OpenLDAP SSPI on Windows • Active DirectoryKDC Client MariaDB 2 3 4 1 Ticket request Service ticket Here is my service ticket, authenticate me Client / server session
  • 13. MariaDB Role Based Access Control DBA Developer Sysadmin Database Tables MariaDB 10 Role: DBA Permissions: • Update Schema • View Statistics • Create Database
  • 14. Secured Connections SSL Connections based on the TLSv1.2 Protocol Between MariaDB Connectors and Server Between MariaDB Connectors and MaxScale SSL can also be enabled for the replication channel External Authentication Selective Data-At-Rest Encryption Application control of data encryption Based on the AES (Advanced Encryption Standard) or DES (Data Encryption Standard) algorithm Encryption for Data in Motion
  • 15. Data-at-Rest Encryption • Everything: – Tables or tablespaces – Log files • Independent of encryption capabilities of applications • Based on encryption keys, key ids, key rotation and key versioning Key Management Services • Encryption plugin API offers choice – Plugin to implement the data encryption – Manage encryption Keys • MariaDB Enterprise options – Simple Key Management included – Amazon AWS KMS Plugin included – Eperi KMS for on premise key management – optional Encryption for Data Rest
  • 16. Attack Protection with MariaDB MaxScale Database Firewall Denial of Service Attack Protection • MariaDB MaxScale Persistent Connections • Connection pooling protects against connection surges • Cache the connections from MaxScale to the database server • Rate limitation • Client multiplexing • Protects against SQL injection • Prevents unauthorized user access and data damage • White-list or Black-list Queries – Queries that match a set of rules – Queries matching rules for specified users – Queries that match certain patterns, columns, statement types • Multiple ordered rule
  • 17. Server Overload Protection with MaxScale • Server overload protection – Persistent connection pool to backend database – Client connection limitation – DB firewall - limit_queries
  • 18. Network Overload Protection with MaxScale • Network overload protection – Max rows limit – Max result size limit – DB firewall - limit_queries 1 3 4 5 2
  • 19. What is SQL Injection? • A kind of web application attack, where user-supplied input comes from: URL – www.app.com?id=1 Forms – [email protected] Other elements – e.g., cookies, HTTP headers and is manipulated so that a vulnerable application executes SQL commands injected by attacker. • Applications vulnerable to SQL injection: – Incorrect type handling – Incorrectly filtered escape characters – Blind SQL injection – Second order SQL injection SELECT * from customer WHERE id = ? User supplied value for id = 5, injected value is string ‘5 OR 1=1’ SELECT * from customer WHERE id = 5 OR 1=1 This will result in application getting access to entire customer table instead of just the specific customer
  • 20. What is SQL Injection?
  • 21. How to Protect from SQL Injection ● Whitelist input parameters and queries ○ SELECT * from userinfo where userid = ? ○ If user id is a valid number between 1 and 100, look for values [1,100] ○ If userid is an alphanumeric string, look for values [a-zA-Z0-9]*$ ○ Queries that match certain regular expressions ● Limitation ○ For free-form text fields, not easy to map to a subset ■ i.e., an input parameter for description of an item ○ As application and database evolves, whitelist needs to be kept up to date ● Blacklist keywords and queries ○ DROP, DELETE, INSERT, GRANT ○ All Select queries with wildcard in FROM clause ○ All queries with “1=1” in WHERE clause ○ Queries that match certain regular expression ● Limitation ○ DBAs wanting to do valid operations may be blocked from doing such operations ○ For certain search field, blacklisted keywords such as DROP (drop clothe), GRANT (‘The boy named Grant’) are actually valid input parameter values
  • 22. QUERY FAILED: 1141 ERROR: Required WHERE/HAVING clause is missing rule safe_select deny no_where_clause on_queries select rule safe_cust_select deny regex '.*from.*customers.*' user %app-user@% match all rules safe_cust_select safe_select Maxscale Database Firewall DATABASE FIREWALL FILTER SELECT * FROM CUSTOMERS; MaxScale Database Servers 1 2 3 Database Firewall Filter Allow/Block queries that MATCH A SET OF RULES MATCH RULES FOR SPECIFIC USERS MATCH ON • date/time • a WHERE clause • query type • column match • a wildcard or regular expression or function name Protect against SQL injection Prevent unauthorized data access Prevent data damage Function name blocking - New in 2.2
  • 24. MaxScale Whitelisting • Allows only those queries that • match a set of rules • match rules for specific users • match certain patterns • multiple ordered rules – Match on • date/time • a WHERE clause • query type • column match • a wildcard or regular expression
  • 25. Data Masking with MaxScale SELECT Name, creditcardNum, balance FROM customerTbl WHERE id=1001 Name creditcardNum balance --------------------------------------- John Smith xxxxxx9901 1201.07 Database Servers Client HIPPA/PCI/GDPR Requirement: • Selective Data Masking by column • Full or partial anonymization – 4448889901 ⇒ xxxxxx9901 • Pseudo-anonymization – Column values randomized, however same value in multiple rows randomizes to same string DATABASE NAME, TABLE NAME CLASSIFIER MAY BE PROVIDED • commerceDb.customerTbl.creditcardNum • customerTbl.creditcardNum • credicardNum Pseudo-anonymization - New in 2.2
  • 27. Best Practices USER MANAGEMENT Use OS permissions to restrict access to MariaDB data and backups Use strong passwords Allow root access to MariaDB only from local clients—no administrative access over the network Use a separate MariaDB user account for each of your applications Use the unix_socket authentication plugin so that only the OS root user can connect as the MariaDB root user Allow access from a minimal set of IP addresses
  • 28. Best Practices ENCRYPTION Encrypt some data in the application Encrypt data at rest Non-key data Credit card numbers, PII etc Encrypt data in transit using SSL From clients to MariaDB MaxScale From clients to MariaDB Between MariaDB replicated servers InnoDB tablespace encryption InnoDB redo log encryption Binary log encryption
  • 29. Best Practices Using MaxScale Restrict the operations that clients (applications) are allowed to perform Identify and flag potentially dangerous queries Customize rules about what’s allowed and what’s not Use MariaDB MaxScale as a Database Firewall Implement connection pooling capabilities can protect against DDoS attacks
  • 30. Best Practices AUDITING Ensure regulatory compliance with robust logging Use MariaDB Audit Plugin Record connections, query executions, and tables accessed Use logs for forensic analysis after an incident Logging either to a file or to syslog
  • 31. MariaDB Security Gets Stronger All the Time MariaDB User Community Quickly identifies new threats Creates solutions Reports vulnerabilities Contributes features
  • 33. How MaxScale Protects from DDoS • Server overload protection – Client connection limitation – Persistent connections – DB firewall - limit_queries • Network overload protection – Max rows limit (2.1) – Max result size limit (2.1) – DB firewall - limit_queries