Database as a networked server DB at the centre of the network Network Access Map for DB environment Tracking of tools and apps Remove unnecessary network libraries – SQL, DB2, Oracle networking layers – Implement using TCP/IP only Secure services from known network attacks Use of Firewalls
Db at the core Avoid direct exposure of DB to Internet Databases must reside in Data centers DMZ architecture – consists of 2 firewalls between DB and Internet Use DB firewall or VPN for client access from outside the Corporate network
Network access map Communication essential between Networking group and Database group Review data access diagram for new access patterns Following are shown in data access diagrams – Database access endpoints – Clients accessing each database – Apps used to access DB and type of access
Tracking of tools and apps Knowledge of tools and versions – Address points of vulnerabilities – Compliance with IT governance – Alert on questionable changes Get client information including host from – Monitoring Database Access (MDA) in Sybase – System Global Area (SGA) in Oracle 10g E.g select machine, terminal, program, username, logon_time from v$session Monitoring sys tables by polling /from TCP/IP packets going to DB
Remove unnecessary network libraries SQL, DB2, Oracle networking layers – Support for multiple protocols – TCP/IP, named pipes etc. – OCI, SQLLIB, SQLNET, OPI (Oracle Program interface) – Oracle Net Config, Assistant Implement using TCP/IP only – Disable all other protocols
Port scanners Use port scanners to list all services and corresponding ports – E.g. Database 1521, Listener netstat nmap
Secure services from known network attacks SQL Slammer – Jan – this worm infected 120,000 SQL server machines More than 120K packets/second Uses buffer overflow error in SQL Server’s Resolution service The service runs on UDP port 1434 Watch for vulnerabilities that can exploit the network
Use of Firewalls Limit access to DB Conventional or specialized SQL firewall – IP address and port filtering – SQL firewall helps to set policy based on SQL commands, DB users, app types and Db objects Oracle re-direction pitfall Protocols.ora or sqlnet.ora – TCP_INVITED_NODES= – TCP_EXCLUDED_NODES=