Database Encryption. Encryption: overview Encrypting Data-in-transit As it is transmitted between client-server Encrypting Data-at-rest Storing data in.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Chapter 17: WEB COMPONENTS

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Chapter 9 Deploying IIS and Active Directory Certificate Services

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Database Security These slides aim to provide an overview of database security.

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

Web Server Administration

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Nasca Internet Ch. 5Internet Ch. 8 Networking and Security Ch. 6 Networking and Security Ch. 8.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Module 1: Database and Instance. Overview Defining a Database and an Instance Introduce Microsoft’s and Oracle’s Implementations of a Database and an.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

INTRODUCTION TO WEB DATABASE PROGRAMMING

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Chapter 13 – Network Security

HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.

Network Security: Lab#4-2 Packet Sniffers J. H. Wang Dec. 2, 2013.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

The Client/Server Database Environment Ployphan Sornsuwit KPRU Ref.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

CHAPTER 9 Sniffing.

Data Communications and Networks

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

WEB SERVER SOFTWARE FEATURE SETS

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Implementing a Secure ISA Server

Introduction to SQL Server 2000 Security

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

APACHE WEB SERVER.

Designing IIS Security (IIS – Internet Information Service)

Virtual Private Networks (VPN)

Sending data to EUROSTAT using STATEL and STADIUM web client

Presentation transcript:

Database Encryption

Encryption: overview Encrypting Data-in-transit As it is transmitted between client-server Encrypting Data-at-rest Storing data in the database as encrypted Encrypting of Data is another layer of security (security in depth). It does not substitute other DB security techniques such as strong password.

Encrypting Data-in-transit For a Hacker to eavesdrop on a conversation and steal data, two things may occur 1) Physically tap into the communications between the db client & the db server 2) Hacker must understand the communication stream in order to extract sensitive data. In order to do this, what does the Hacker need ?

Tools for packet sniffing the Hacker needs to have With a minimum understanding of TCP/IP + Use one of many network protocol analyzer that are freely available. Packet (formatted block of data transmitted by a Network). Sniffing: capturing and analyzing package (like dog sniffing).

Minimum Understanding of TCP/IP Network Security book. Example: Roberta Bragg, Mark Rhodes-Ousley and Keith Strassberg, Network Security; The Complete Reference. TCP/IP is well documented all over the web. Documentation describes the headers of the packet.

Where to run Network Analyzer Packet ? Client Machine that has access to the Database server Database Server

Network Protocol Analyzer: examples Tcpdump: utility available as part of installation on most UNIX systems. Can be downloaded from (windump). Windows counterpart. Available on some systems. Can be downloaded from Wireshark ( world’s most famous NP Analyzer. Formerly Ethereal (

Implement Encryption,data-in-transit Fortunately there are also many encryption techniques for data in transit: Database-specific features such as Oracle Advanced Security Connection-based metods (such as SSL) Secure tunnels (such as SSH) Relying on the operating Systems (IPSec Encryption)

OAS Oracle Advanced Security (previously Advanced Network Option), contains network encryption tools. Depending on the version of Oracle, it is available for no extra cost. It is for the enterprise edition. Best literature for OAS is Oracle Security Handbook by Marlene Theriault and Aaron Newman, McGraw-Hill.

Secure Socket Layer (SSL) cryptographic protocols that provide secure communications on the Internet for such things as web browsing, , Internet faxing, instant messaging and other data transfers. You may enable SSL from within a DBMS. SQL-Server for example: Programs -> Microsoft SQL Server -> Server Network Utility, check the Force protocol Encryption checkbox. Then Stop and start SQL Server. Server also must be informed how it will derive encryption keys Note: make sure that your version of SSL is compatible with your version of MySQL (like in ODBC or JDBC).

SSH Tunnels SSH used in many applications. Example: Substitute for FTP with encryption. From most DBMSs, you can set up SSH tunnels to encrypt database traffic by port forwarding (Encrypted session between client and server). Example: to connect Linux client machine of IP CCC.CCC.C.CCC to a MySQL instance installed on a server with IP address of SSS.SSS.S.SS listening in on port 3306 (default MySQL port). Ssh –L 1000:localhost:3306 SSS.SSS.S.SS –l mylogin –I ~/.ssh id –N -g -L=port forwarding, Any connection attempted on port 1000 on the local machine should be forwarded to port 3306 on the server. Therefore any connection on port 1000 will go through encryption.

IPSec Another Infrastructure option that protects the DB with encryption tools. IPSec is done by the OS so you need to encrypt all communications (can’t be selective). It operates at layer 3 of the OSI network (lower level). Installing IPSec on Windows/XP install IP Security Policy manager. Then from Control Panel -> Administrative Tools, select IPSec

Encrypting Data-at-rest There are two reasons to do this –Protect it from DBAs. –Protect from File or Disk Theft.

Encrypting Data-at-rest Encrypting at Application Layer Must do it at multiple locations from within app. Data can only be used from within application Encrypting at File System/Operating System Layer less flexible. Requires you to encrypt everything. Performance degrades Weak for handling Disk Theft problem. Encrypting within Database –Usually, most practical option

Encrypting at Application Layer Application Developers use a cryptographic library to encrypt such as Java Cryptographic Extensions (JCE) – set of APIs in the java.security and java.crypto packages

Encryption at OS layer Windows implements the Encrypted File System (EFS) and you can use it for MS-SQL Server. Disadvantages ?

Encryption within Database SQL Server 2005 you can access Windows CryptoAPI through DB_ENCRYPT and DB_DECRYPT within T-SQL (similar to PL/SQL) Can use DES, Triple DES and AES (symmetric keys) In ORACLE, you can access –DBMS_OBFUSCATION_TOOLKIT package that implements DES and Triple DES

Summary DB Encryption can be divided into Data-in-transit and Data-at-rest Encryption is useful as a last layer of defense (defense in depth). Should never be used as an alternative solution Encryption should be used only when needed Key Management is Key

End of Lecture End Of Today’s Lecture.