2016 oSC MySQL Firewall
-
Upload
georgi-kodinov -
Category
Software
-
view
282 -
download
0
Transcript of 2016 oSC MySQL Firewall
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
MySQL Firewall
Add an extra layer of securityto your database server
Georgi “Joro” KodinovMySQL Server General Team Lead
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Georgi “Joro” Kodinov MySQL @ Oracle
Server General Team Lead
Works on MySQL since 2006
Specializes in:
Security
Client/server protocol
Monitoring
Loves history, diverse world cultures
A devoted Formula 1 fan (Go, Massa !)Bulgaria
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 3
Agenda
Why a MySQL Firewall ?
Firewall Architecture
Installation and setup
Operation
Q&A
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 4
Why a MySQL Firewall ?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 5
Simple !Make SQL injection attacks harder !
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 6
“And it wouldn’t be a proper DBIR if we didn’t raise a glass to one of the elder statesmen of web application hacking, SQL injection (SQLi)”– http://www.verizonenterprise.com/verizon-insights-lab/dbir/2
016/
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 7
Why a MySQL Firewall ?
• Better SQL applications security– User accounts can execute only application SQL
• Defense in dept– Extra layer, works with the other methods
• Minimum performance cost– Takes advantage of the server’s SQL processor
• No need for application changes– Works inside the server
Other reasons
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 8
Exploits of a Momhttps://xkcd.com/327/
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 9
MySQL Firewall Architecture
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 10
MySQL FirewallAnatomy
Firewall Plugin
SELECT ?+?USE ?
Engine• Compares incoming queries
with the allowed list• Works on normalized
statements• Multiple modes• Audit API plugin
Statements Cache• Entirely in memory• Initialized from disk• Content visible through
INFORMATION_SCHEMA
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 11
MySQL Server
MySQL FirewallOperation
SELECT 1+2 SELECT 1+2
SELECT 1+2 OR ..Deny
Firewall Plugin
SELECT ?+?USE ?
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 12
MySQL Firewall Operation Diagram
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 13
Installing The MySQL Firewall
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 14
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 15
Installing the MySQL Firewall
$ mysql -u root -p mysql < linux_install_firewall.sql
mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_mode';
+---------------------+-------+ | Variable_name | Value | +---------------------+-------+ | mysql_firewall_mode | ON | +---------------------+-------+
The command line version
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 16
Operating the MySQL FirewallCase study: adding firewall protection to a WordPress installation
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 17
• Stock WordPress on apache2• Uses the default
wordpress@localhost MySQL account
• Runs against a local MySQL server• MySQL server seeded with a user
and a schema for WordPress• WordPress installation done with
defaults
Step 1: Install WordPress
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 18
Step 2: Put the Firewall Into Recording Mode • Command Line
– $mysql -u root -p –e "CALL mysql.sp_set_firewall_mode('wordpress@localhost', 'RECORDING');“
• Workbench
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 19
Step 3: Accumulate White List Actions• The non-trivial part !• Click through all of the WordPress sequences that you want to be enabled
– This will generate the queries
• I have only clicked through saving a draft of a post
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 20
Step 4: Inspect The Accumulated Rules
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 21
Step 5: Shields Up ! Switch To Protecting Modemysql> CALL mysql.sp_set_firewall_mode('wordpress@localhost', 'PROTECTING');
Query OK, 63 rows affected (0,00 sec)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 22
Step 6: Watch The Show !mysql> show status like '%firewall%';
+----------------------------+-------+
| Variable_name | Value |
+----------------------------+-------+
| Firewall_access_denied | 50 |
| Firewall_access_granted | 664 |
| Firewall_access_suspicious | 0 |
| Firewall_cached_entries | 63 |
+----------------------------+-------+
4 rows in set (0,01 sec)
mysql> show status like '%firewall%';
+----------------------------+-------+
| Variable_name | Value |
+----------------------------+-------+
| Firewall_access_denied | 57 |
| Firewall_access_granted | 706 |
| Firewall_access_suspicious | 0 |
| Firewall_cached_entries | 63 |
+----------------------------+-------+
4 rows in set (0,00 sec)
mysql> show status like '%firewall%';
+----------------------------+-------+
| Variable_name | Value |
+----------------------------+-------+
| Firewall_access_denied | 67 |
| Firewall_access_granted | 782 |
| Firewall_access_suspicious | 0 |
| Firewall_cached_entries | 63 |
+----------------------------+-------+
4 rows in set (0,00 sec)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 23
What Does the Application Get ?• $ client/mysql -u wordpress --protocol=tcp -p -e "select version()“
ERROR 1045 (28000) at line 1: Statement was blocked by Firewall• [Mon Jun 20 13:23:00.091246 2016] [:error] [pid 31596] [client 127.0.0.1:40226]
WordPress database error Statement was blocked by Firewall for query SELECT * FROM wp_users WHERE user_email = '[email protected]' made by edit_user, email_exists, get_user_by, WP_User::get_data_by, referer: http://localhost/blog/wp-admin/user-new.php
• [Mon Jun 20 13:23:00.094753 2016] [:error] [pid 31596] [client 127.0.0.1:40226] WordPress database error Statement was blocked by Firewall for query SELECT * FROM wp_users WHERE user_email = '[email protected]' made by edit_user, wp_insert_user, email_exists, get_user_by, WP_User::get_data_by, referer: http://localhost/blog/wp-admin/user-new.php
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 24
MySQL Firewall Operation: What Else ?• Can log suspicious queries (not in the whitelist) instead of/in addition to
blocking• The mysql.mysql_firewall_* tables are not special tables.
– It’s just that the firewall reads them at installation time– And the stored programs write the INFORMATION_SCHEMA tables into them
• Can reset the stats– mysql_firewall_flush_status() resets the status variables
• Can manipulate rule-sets– Aggregate, prune, edit etc
25Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Questions And Answers
Confidential – Oracle Internal/Restricted/Highly Restricted
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted
26
Safe Harbor StatementThe preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.