Secure PostgreSQL Deployments

Size: px

Start display at page:

Download "Secure PostgreSQL Deployments"

Dora Adams
8 years ago
Views:

1 Secure PostgreSQL Deployments pgcon.br 2009 Campinas, Brazil Magnus Hagander Redpill Linpro AB

2 There's much to security Identify the threats Apply the correct measures Don't do things just because you can

3 Not in this talk Application security Data Access Control Data Encryption etc etc

4 Definitely not in this talk Unix vs Windows Linux vs BSD SELinux/SEPostgreSQL Any other religion

5 In this talk! Authentication methods Connection security

6 Authentication methods How do we determine who the user is When do we determine who the user is

7 pg_hba.conf Lets you use different auth methods from different clients Not just limited to username/password For convenience or security Internal or external

8 Trust Authentication Any user can be anyone he/she claims to be!

9 Trust Authentication Any user can be anyone he/she claims to be! Anyone think this is a bad idea?

10 Username/password Normally, use md5 method crypt has been removed, avoid plaintext What everybody does What everybody expects

11 ident Local unix credentials Very good! Default for most packaged versions Never use over the network

12 LDAP authentication To the client, username/password Backend verification is off-loaded to directory server Common in enterprise deployments Password policies, expiry, etc

13 LDAP authentication Single password not single signon 1. Connect 2. Request password 3. Send password PostgreSQL Server Client LDAP Server

14 Kerberos/GSSAPI/SSPI Single signon Same benefits as LDAP (mostly) Most common: Active Directory («krb5» is deprecated)

15 Kerberos/GSSAPI/SSPI Single password not single signon 3. Present ticket PostgreSQL Server Client 1. Request ticket 2. Return ticket KDC

16 Provided by OS PAM Can do password, LDAP, etc Can also do Kerberos & friends One-time passwords RSA SecurID, Vasco, etc RADIUS

17 SSL

18 SSL secured connections Encryption Man-in-the-middle protection Authentication

19 SSL secured connections Enabled on the server (ssl=yes) Platform quirks! Optionally required through pg_hba Optionally required in libpq

20 SSL secured connections Need to protect data in both directions For example username/password Must know before connection is started Unknown equals unprotected

21 SSL encryption SSL always requires a server certificate Can be self-signed Does not need to be known by client

22 Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate

23 Issuer Certificate chains Root certificate Self-signed certificate Issuer Intermediate certificate Issuer Server certificate

24 SSL secured connections Client Server

25 Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server

26 Eavesdropping Prevented by encrypting all data Key negotiation is automatic On initial connection After 512Mb traffic Server certificate used but not verified

27 Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server

28 SSL server verification On top of encryption Validate that the server is who it claims to be CA issues certificate, can be selfsigned CA certificate known by client

29 Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server

30 SSL client authentication On top of encryption Normally on top of server verificateion, but not necessary CA issued certificate on client Match CN on certificate to user id Protect client certificate!

31 SSL client authentication 1. Present certificate PostgreSQL Server Client

32 SSL in libpq Controlled by sslmode parameter Or environment PGSSLMODE For security, must be set on client Remember, unknown = unsecure

33 Summary of libpq SSL modes Client Mode Protect against Compatible with server set to... Performance Eavesdrop MITM SSL required SSL disabled overhead disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes

34 Summary of libpq SSL modes Client Mode Protect against Compatible with server set to... Performance Eavesdrop MITM SSL required SSL disabled overhead disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes

35 Summary of libpq SSL modes Client Mode Protect against Compatible with server set to... Performance Eavesdrop MITM SSL required SSL disabled overhead disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes

36 Summary of libpq SSL modes Client Mode Protect against Compatible with server set to... Performance Eavesdrop MITM SSL required SSL disabled overhead disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes

37 Not a bad idea: ipsec If already deployed Application transparent Global policies Integrated management Somebody Elses Problem?

38 Secure PostgreSQL Deployments Questions?

Encrypted PostgreSQL

Encrypted PostgreSQL PGCon 2009 Ottawa, Canada Magnus Hagander Redpill Linpro AB Decide what your threat is Everything comes at a cost Performance or maintainability Encryption for the sake of encryption?