Implementing Database Security and Auditing phần 3 doc

70 3.3 Track tools and applications the database, but if you want to continuously monitor everything that is happening you will have to continuously poll these tables, sometimes at a high frequency, which can affect the performance of the database. Polling is needed because you cannot set triggers or other types of mechanisms on these tables and tables that show you the actual SQL generated in the con- text of these sessions. The second option does not need to poll the database; it is based on intercepting communication streams and extracting information from the packets as they come into the database. All of the information mentioned previously is readily available in these streams (e.g., in the TCP/IP communications)—and actually much more. For example, the following packet captures for Oracle, SQL Server, and Sybase highlight information such as the source program, sign-on name, client machine, and much more (refer to Chapter 10 for more information on how you can generate these dumps yourself). Naturally, each such packet also has a TCP/IP header where the client IP resides, providing you with more than enough information to accomplish your task. (Some of the packet contents have been omitted because they do not contribute to this topic). Oracle: 0000 00 10 db 46 3e 74 00 0d 56 b2 05 34 08 00 45 00 F>t V 4 E. 0010 03 52 4b 45 40 00 80 06 27 54 c0 a8 01 a8 c0 a8 .RKE@ 'T 0020 02 14 11 9b 05 f1 ab cf 67 39 9c 94 04 30 50 18 g9 0P. 0030 f8 1d 05 c9 00 00 03 2a 00 00 06 00 00 00 00 00 * 0040 03 73 03 a4 a1 e1 00 06 00 00 00 01 01 00 00 1c .s 0050 e3 12 00 07 00 00 00 d4 df 12 00 60 e5 12 00 06 ` 0060 73 79 73 74 65 6d 0d 00 00 00 0d 41 55 54 48 5f system AUTH_ 0070 50 41 53 53 57 4f 52 44 20 00 00 00 20 43 46 39 PASSWORD CF9 0080 32 39 43 30 43 42 38 30 34 35 33 33 37 31 43 46 29C0CB80 453371CF 0090 44 32 30 31 46 45 37 34 44 31 44 45 38 00 00 00 D201FE74 D1DE8 00a0 00 0d 00 00 00 0d 41 55 54 48 5f 54 45 52 4d 49 AU TH_TERMI 00b0 4e 41 4c 0f 00 00 00 0f 52 4f 4e 2d 53 4e 59 48 NAL RON-SNYH 00c0 52 38 35 47 39 44 4a 00 00 00 00 0f 00 00 00 0f R85G9DJ . 00d0 41 55 54 48 5f 50 52 4f 47 52 41 4d 5f 4e 4d 0c AUTH_PRO GRAM_NM. 00e0 00 00 00 0c 73 71 6c 70 6c 75 73 77 2e 65 78 65 sqlp lusw.exe 00f0 00 00 00 00 0c 00 00 00 0c 41 55 54 48 5f 4d 41 .AUTH_MA 0100 43 48 49 4e 45 1a 00 00 00 1a 57 4f 52 4b 47 52 CHINE WORKGR 0110 4f 55 50 5c 52 4f 4e 2d 53 4e 59 48 52 38 35 47 OUP\RON- SNYHR85G 0120 39 44 4a 00 00 00 00 00 08 00 00 00 08 41 55 54 9DJ AUT 0130 48 5f 50 49 44 09 00 00 00 09 37 33 32 30 3a 36 H_PID 7320:6 0140 32 34 34 00 00 00 00 08 00 00 00 08 41 55 54 48 244 AUTH 0200 41 43 54 45 52 53 3d 20 27 2e 2c 27 20 4e 4c 53 ACTERS= '.,' NLS 0210 5f 43 41 4c 45 4e 44 41 52 3d 20 27 47 52 45 47 _CALENDA R= 'GREG 0220 4f 52 49 41 4e 27 20 4e 4c 53 5f 44 41 54 45 5f ORIAN' N LS_DATE_ 0230 46 4f 52 4d 41 54 3d 20 27 44 44 2d 4d 4f 4e 2d FORMAT= 'DD-MON- 0240 52 52 27 20 4e 4c 53 5f 44 41 54 45 5f 4c 41 4e RR' NLS_ DATE_LAN 0250 47 55 41 47 45 3d 20 27 41 4d 45 52 49 43 41 4e GUAGE= ' AMERICAN 0260 27 20 20 4e 4c 53 5f 53 4f 52 54 3d 20 27 42 49 ' NLS_S ORT= 'BI 0270 4e 41 52 59 27 20 54 49 4d 45 5f 5a 4f dd 4e 45 NARY' TI ME_ZO.NE 0280 3d 20 27 2d 30 34 3a 30 30 27 20 4e 4c 53 5f 44 = '-04:0 0' NLS_D 0290 55 41 4c 5f 43 55 52 52 45 4e 43 59 20 3d 20 27 UAL_CURR ENCY = ' 02a0 24 27 20 4e 4c 53 5f 54 49 4d 45 5f 46 4f 52 4d $' NLS_T IME_FORM 3.4 Remove unnecessary network libraries 71 Chapter 3 SQL Server: 0000 00 10 db 46 3e 74 00 0d 56 b2 05 34 08 00 45 00 F>t V 4 E. 0010 00 ec 52 8c 40 00 80 06 22 72 c0 a8 01 a8 c0 a8 R.@ "r 0080 00 00 bc 00 00 00 00 90 4b 66 eb 31 00 00 00 00 Kf.1 0090 bc 00 00 00 73 00 61 00 d3 a5 f2 a5 b3 a5 82 a5 s.a . 00a0 e3 a5 33 a5 f2 a5 73 a5 53 00 51 00 4c 00 20 00 3 s. S.Q.L. . 00b0 51 00 75 00 65 00 72 00 79 00 20 00 41 00 6e 00 Q.u.e.r. y. .A.n. 00c0 61 00 6c 00 79 00 7a 00 65 00 72 00 66 00 61 00 a.l.y.z. e.r.f.a. 00d0 6c 00 63 00 6f 00 6e 00 2e 00 67 00 75 00 61 00 l.c.o.n. g.u.a. 00e0 72 00 64 00 69 00 75 00 6d 00 2e 00 63 00 6f 00 r.d.i.u. m c.o. 00f0 6d 00 4f 00 44 00 42 00 43 00 m.O.D.B. C. Sybase: 0000 00 10 db 46 3e 74 00 0d 56 b2 05 34 08 00 45 00 F>t V 4 E. 0010 02 28 5b f2 40 00 80 06 17 ce c0 a8 01 a8 c0 a8 .([.@ 0020 02 17 13 00 10 04 b7 42 ea 41 8d 06 b9 43 50 18 B .A CP. 0030 fa f0 2a 93 00 00 02 00 02 00 00 00 00 00 72 6f * ro 0040 6e 2d 73 6e 79 68 72 38 35 67 39 64 6a 00 00 00 n-snyhr8 5g9dj 0050 00 00 00 00 00 00 00 00 00 00 00 00 0f 73 61 00 sa . 00b0 00 00 00 00 00 00 00 00 00 01 02 00 06 04 08 01 00c0 01 00 00 00 00 02 00 00 00 00 41 71 75 61 5f 44 Aqua_D 00d0 61 74 61 5f 53 74 75 64 69 6f 00 00 00 00 00 00 ata_Stud io 00e0 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 0200 00 00 00 00 00 00 00 0a 05 00 00 00 6a 43 6f 6e jCon 0210 6e 65 63 74 00 00 08 00 05 00 05 00 0c 10 75 73 nect us 0220 5f 65 6e 67 6c 69 73 68 00 00 00 00 00 00 00 00 _english 0230 00 00 00 00 00 00 Regardless of whether you are using network information or internal tables, getting the raw data is just the first step. Once this data is accessible, the following steps are required to support desired monitoring: 1. Continuously collect this information through interception or polling 2. Save this information to some kind of repository 3. Use reporting tools to create usable reports and monitors that can support ad hoc queries, filters, and aggregation 4. Create a baseline for what is allowed and what is normal 5. Use alerting tools to warn you of divergence from the baseline 3.4 Remove unnecessary network libraries Clients connecting to the database can use various networking protocols. Because there are many networks and protocols, most databases can be accessed using more than one client-server mechanism. While today’s networks are almost always TCP/IP networks, 15 years ago the networking world was far more fragmented, and databases had to support many more 72 3.4 Remove unnecessary network libraries networking environments than they do today. Therefore, all of the major database vendors allow you to run the database protocol (the proprietary request/response communications carrying the SQL) over many networking protocols. However, the fact that you can do something doesn’t mean that you should do it—and the main lesson of this section is that if you don’t need to use a certain networking option, you should disable it. The fact that you’re not using it doesn’t mean that a hacker will not use it. 3.4.1 SQL Server (and Sybase) networking layers Any good software is built as layers, with each layer depending on application program interfaces (APIs) provided by the lower layer. The APIs form a higher-level abstraction that shields one software layer from the complexi- ties implemented by the lower layer. This is especially true for the networking layers in database products—where the database engines do not need to understand how a SQL call came in from a client or how the response is going to be returned to the client. It doesn’t care about which network this will go over and the intricacies of the protocols. The SQL Server networking architecture shown in Figure 3.6 is a great example of this layering concept. In SQL Server, components called net libraries (netlibs) shield both the client and the server from the networks. An example of how SQL Server uses these components is as follows: 1. The client application calls the OLE DB, ODBC, DB-Library, or Embedded SQL API. 2. The OLE DB provider, ODBC driver, or DB-Library DLL calls a client netlib. 3. The calls are transmitted to a server netlib by the underlying protocol. Local calls are transmitted using a Windows interprocess communication mechanism, such as shared memory or local named pipes. Remote calls use the network-specific netlib to communicate with the netlib on the server. 4. The server netlib passes the requests coming from the client to the database engine. The response follows a similar path, starting with the server-side netlibs communicating to the client netlibs. 3.4 Remove unnecessary network libraries 73 Chapter 3 Microsoft classifies netlibs as primary or secondary libraries. OLE DB provider, the ODBC driver, the DB-Library DLL, and the database engine communicate directly with only the two primary netlibs: 1. By default, local connections between an application and a server on the same computer use the Shared Memory primary netlib. This is not shown in Figure 3.6 because it does not traverse the network. Figure 3.6 SQL Server networking architecture. 74 3.4 Remove unnecessary network libraries 2. Network communications use the Super-socket primary netlib. The Super-socket netlib uses secondary netlibs in one of two ways:  If you choose TCP/IP or NWLINK IPX/SPX, the Super- socket netlib connects directly using a Windows socket API.  If you use Named Pipes, Virtual Interface Architecture (VIA) SAN, Multiprotocol, AppleTalk, or Banyan VINES, the Super-socket netlib calls the netlib router, loads the secondary netlib for the chosen protocol, and routes all netlib calls to it. By the way, if you have a Sybase environment, you can probably see that the resemblance is striking. SQL Server was originally Sybase on NT (co- developed by Microsoft and Sybase), and the networking layers are all based on the original Sybase networking layers—so the SQL Server and Sybase networking architectures are very similar. You can disable and enable the various networking options using the Server Network Utility, as shown in Figure 3.7. If you click the Network Libraries tab, you will see the dynamic link libraries (DLLs) used as the primary and secondary netlibs. The General tab allows you to select the pre- cise set of netlibs with which the server will work. For each protocol you Figure 3.7 Using the SQL Server Network Utility to enable or disable protocol support. 3.4 Remove unnecessary network libraries 75 Chapter 3 can click on the Properties button to select protocol-specific attributes. For example, if you click the Properties button for TCP/IP, you can change the default port of 1433 (Figure 3.8(a)), and if you click the Properties button when selecting Named Pipes, you can change the default pipe name (Fig- ure 3.8(b)). When you install a client you have an equivalent Client Net- work Utility that allows you to configure which protocols the client will be using (and the order by which a client netlib is used if more than one option is available). 3.4.2 DB2 networking layers DB2 UDB’s networking options include TCP/IP, IPX/SPX, Named Pipes, NetBIOS, and APPC. Advanced Program-to-Program (APPC) is an implementation of the IBM SNA/SDLC LU6.2 protocol that allows interconnected systems to communicate and share the processing of pro- grams; if you haven’t had the need to know what this means until now, you probably will never have to—it is a construct that is mainly relevant to the mainframe world. Not all options are available for all platforms; for example, APPC is available for Windows clients when accessing a Solaris server but not when accessing a Linux server. DB2 communication options are usually defined automatically when DB2 is installed—it senses what communication protocols are available on the host and adjusts the definitions appropriately. If you would like to reduce the number of installed protocols, you can use the Control Center. Use the left tree view to navigate to the instance you wish to configure and then right-click and select Setup Communica- tions. This will allow you to choose which networking libraries are enabled (see Figure 3.9) and which are not, as well as set up properties for each communication type (e.g., changing the port from the default 50000 for TCP/ IP communications). Figure 3.8 Figure 3.8: (a) Setting the TCP/IP port; (b) Setting the named pipe. 76 3.4 Remove unnecessary network libraries 3.4.3 Oracle networking layers Oracle also supports many protocol options. Before looking at these options and how you can configure them, let’s briefly look at the networking architecture, starting with how requests are communicated with the server. Oracle has several configuration options that affect the server-side process architecture. For example, Oracle may be configured to create a process for each user connection or use a multithreaded configuration in which only a thread (as opposed to a heavyweight process) is created per user connection. In order not to overcomplicate the discussion here, let’s assume a multithreaded server (MTS) configuration. The networking architecture may differ slightly in other environments, but this is not significant. In addition to the Oracle server processes, another process—the network listener—is installed and is running on your machine. The listener is part of Net9 (or Net8 or Oracle Net or SQL*Net—the name varies by version). The listener is key in making the connection to the server. In fact, when using shared servers and MTS, a client must connect through the listener even if it is running on the same host as the server process; if a client cannot use the network libraries, it will connect using a dedicated server, which puts unnecessary load on the database. After communication has been initiated with the listener, the listener assigns a dispatcher. An MTS can have many dispatchers, which are shared among all clients and manage queues of requests. The listener assigns the dispatcher with the lightest load, and the client continues all communica- Figure 3.9 Selecting communication options for DB2 UDB (on Windows). 3.4 Remove unnecessary network libraries 77 Chapter 3 tions directly with the dispatcher. The request and response queues are managed by the dispatchers and are part of the System Global Area (SGA). The dispatcher’s only responsibility is to populate the request queues and communicate results from the response queues back to the client; the Ora- cle server processes do the actual processing of the SQL requests, as shown in Figure 3.10. The software modules that allow a client application to talk to Oracle are collectively called the Program Interface. This includes the following:  The Oracle Call Interface (OCI)  The Oracle runtime library (SQLLIB)  The Oracle Net (or SQL*Net/Net8/Net9) protocol-specific drivers  The server-side modules that receive the requests. These are called the Oracle Program Interface (OPI). The Oracle listener can be configured to use several network protocols, including TCP/IP, Named Pipes, IPX/SPX, and LU6.2/APPC. The actual specification of which protocols are enabled per listener are defined in listener.ora . Alternately, you can use either Oracle Net Configuration Assis- tant or the Oracle Net Manager to enable or disable protocols. The Oracle Net Configuration Assistant can help you configure both the server-side or the client-side protocols that will be used. In the first case, the file that will be changed is listener.ora and in the second case it is Figure 3.10 Handling of client requests in Oracle: high-level process flow. 78 3.4 Remove unnecessary network libraries tnsnames.ora. You determine whether you want to specify protocols for the client or for the server on the first screen of the Oracle Net Configura- tion Assistant, as shown in Figure 3.11. To define protocols supported by the server, select Listener configuration and click Next. Then select Configure and click Next. You can now enable network protocols by selecting one from the Available Protocols list and moving it to the Selected Protocols list, as shown in Figure 3.12. Click Next and Finish when you’re done. Figure 3.11 Using the Oracle Net Configuration Assistant to configure client- server protocols. Figure 3.12 Enabling protocols for an Oracle server. 3.4 Remove unnecessary network libraries 79 Chapter 3 You can also use the Oracle Net Manager to select a listener and add as many addresses as you need—each address definition is shown as a tab on the right pane and each defines a protocol, as shown in Figure 3.13. On the client side, you need to have appropriate entries in tnsnames.ora. You can edit the file manually or use the Oracle Net Configuration Assistant. In the starting screen (Figure 3.11), select Local Net Service Name configuration and click Next. You can then select to add, reconfigure, delete, rename, or test an entry. Then you select the network protocol for that service name, as shown in Figure 3.14. 3.4.4 Implementation options: Use TCP/IP only As mentioned in the previous subsection, each vendor allows you to disable or enable the various protocols on which the server is listening. Unless you have an unconventional (i.e., non-TCP/IP) environment, my suggestion is that you disable all protocols except TCP/IP. Another protocol that I’ve found to exist in the real world is Named Pipes, and you’ve already seen that you can enable Named Pipes with any of the major database vendors. Named Pipes uses a generic protocol called Server Message Block (SMB, which is explained further in Appendix 3.B). SMB is a stable protocol that has proven itself through the years. In the Figure 3.13 Protocol definitions using Oracle Net Manager. [...]... Oracle Security Handbook by Theriault and Newman (McGraw-Hill, 2001) 0000 0010 0020 0 030 0040 0050 0060 0070 0080 0090 00a0 00b0 00c0 00d0 00e0 00f0 0100 0110 0120 0 130 0140 0150 0160 0170 00 03 02 f8 03 b0 73 41 36 44 0d 41 38 55 00 00 48 55 44 5f 36 48 00 52 10 53 14 1d 73 12 63 53 43 37 00 4c 35 54 00 00 49 50 4a 50 32 5f 00 5f db a2 11 6f 03 00 6f 53 31 36 00 0f 47 48 0c 00 4e 5c 00 49 38 41 12 53 46... 0d 00 38 43 5f 4e 00 41 73 55 57 59 00 35 00 04 54 dc 05 c0 22 06 00 00 41 00 37 42 54 2d 0f 4d 77 54 4f 48 00 36 00 34 48 01 34 a8 4d 00 01 b0 55 20 32 44 45 53 00 5f 2e 48 52 52 08 32 00 34 5f 00 08 01 30 00 01 b2 54 31 30 00 52 4e 00 4e 65 5f 4b 38 41 38 08 30 41 00 00 a8 eb 00 00 12 48 38 36 00 4d 59 00 4d 78 4d 47 35 55 34 41 30 4c fe 45 c0 50 00 00 00 5f 30 42 00 49 48 0f 0c 65 41 52 47 54 3a 55... 77 1b 52 0c 07 74 57 31 42 00 00 39 5f 73 0c 45 52 00 44 38 43 00 45 3e 40 05 00 a2 00 74 4f 37 32 0d 00 44 50 71 00 1a 4f 00 0b 00 4c 00 53 74 00 f1 00 e1 00 0d 52 32 37 41 00 4a 52 6c 00 00 4e 00 00 00 04 00 53 00 80 46 03 00 00 00 44 35 37 55 0f 00 4f 70 00 00 2d 00 00 00 00 12 49 0d 06 6f 2b 05 24 00 20 46 30 54 52 00 47 6c 0c 00 53 08 00 00 00 41 4f 56 d0 7d 00 00 ad 00 00 44 31 48 4f 00 52 75 41... 135 /tcp open loc-srv 139 /tcp open netbios-ssn 4 43/ tcp open https 1025/tcp open NFS-or-IIS 1 030 /tcp open iad1 1 039 /tcp open unknown 1040/tcp open unknown 1 433 /tcp open ms-sql-s 1521/tcp open oracle 17 23/ tcp open pptp 1748/tcp open unknown 1754/tcp open unknown 1808/tcp open unknown 1809/tcp open unknown 2 030 /tcp open device2 Chapter 3 @Spy 84 3. 6 Secure services from known network attacks 33 39/tcp 33 72/tcp... process echo Request echo from server read & execute Read file and execute next command find & close Search for file and close directory (UNIX) read and hide Read directory ignoring hidden files Chapter 3 @Spy 92 3. B Table 3. A Named Pipes and SMB/CIFS SMB Commands (continued) Command Description Command Description find & close OS/2 Search for file and close directory (OS/2) read block mplex Read block data... NETWORK_SERVICE_BANNER 138 DATABASE RON-SNYHR85G9DJ\ronb Oracle Advanced Security: NTS authentication service adapter for 32 -bit Windows: Version 2.0.0.0.0 138 DATABASE RON-SNYHR85G9DJ\ronb Oracle Advanced Security: encryption service for 32 -bit Windows: Version 10.1.0.2.0 – Production 138 DATABASE RON-SNYHR85G9DJ\ronb Oracle Advanced Security: crypto-checksumming service for 32 -bit Windows: Version... 00 09 04 53 00 00 00 00 00 00 00 00 00 b9 0d 06 6f df 20 00 50 18 08 00 2d 47 52 52 aa 00 aa 56 d2 7b 00 01 01 00 00 00 00 00 00 00 00 32 00 4b b2 70 c8 00 00 b4 03 9c 5e b4 53 39 4f 38 42 00 aa 05 c0 22 06 00 00 00 00 00 00 00 00 00 00 2a 00 31 34 a8 4d 00 01 00 00 00 00 00 4e 44 4e 35 ad 00 35 08 01 2f 00 00 00 00 00 00 00 00 00 00 00 62 00 df 00 a8 84 00 00 00 18 1e 1e 05 59 4a 2d 47 00 33 c5 45 c0... system address binding lock and read Lock and read byte range unlock bytes Release a locked byte range lock bytes Lock specified byte range write & close Write to and close specified file handle lock/unlock & X Lock/unlock bytes and execute next command write & execute Write to file and execute next command logoff & execute Log off and execute next command write & unlock Write to and unlock a byte range mail... ron-snyhr85g9dj.mshome.net :32 18 TIME_WAIT ron-snyhr85g9dj:1 830 ron-snyhr85g9dj.mshome.net :32 34 TIME_WAIT ron-snyhr85g9dj :32 00 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT ron-snyhr85g9dj :32 15 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT ron-snyhr85g9dj :32 31 ron-snyhr85g9dj.mshome.net:5500 TIME_WAIT ron-snyhr85g9dj :32 42 ron-snyhr85g9dj.mshome.net:5500 ESTABLISHED ron-snyhr85g9dj :32 44 ron-snyhr85g9dj.mshome.net:5500... 88 48 72 53 39 00 30 9d .F>t .s@ Fo NTLMSSP @ .f .R.O.N R.8.5.G o.n.b.R N.Y.H.R D.J.T .J_A Vp"r V 4 E .p {."M/.P .^ S.N.Y.H 9.D.J.r O.N.-.S 8.5.G.9 2B*.b .3. 0 K.15 % NTLMSSP stands for the NTLM Security Support Provider, and NTLM stands for NT LAN Manager NTLM is an authentication protocol used in various Microsoft network protocol implementations and supported by the NTLM Security Support . AUTH_ 0070 50 41 53 53 57 4f 52 44 20 00 00 00 20 43 46 39 PASSWORD CF9 0080 32 39 43 30 43 42 38 30 34 35 33 33 37 31 43 46 29C0CB80 4 533 71CF 0090 44 32 30 31 46 45 37 34 44 31 44 45 38 00 00 00 D201FE74. 53 4e 59 48 52 38 35 47 OUPRON- SNYHR85G 0120 39 44 4a 00 00 00 00 00 08 00 00 00 08 41 55 54 9DJ AUT 0 130 48 5f 50 49 44 09 00 00 00 09 37 33 32 30 3a 36 H_PID 732 0:6 0140 32 34 34 . 0280 3d 20 27 2d 30 34 3a 30 30 27 20 4e 4c 53 5f 44 = '-04:0 0' NLS_D 0290 55 41 4c 5f 43 55 52 52 45 4e 43 59 20 3d 20 27 UAL_CURR ENCY = ' 02a0 24 27 20 4e 4c 53 5f 54