Database security scheme of campus network

Background

Recently, "Economic reference newspaper" reported that China's colleges and universities have become the hardest hit of information leakage, from 2014 to 2015 March, the Vulnerability analysis platform to display the effective university website more than 3,495 vulnerabilities. Some of these vulnerabilities have resulted in the disclosure of personal information about faculty or students. Ma Minghu, director of the Research Center for Information Security Law at XI ' an Jiaotong university, said that while universities involved a large number of students and professors, and that many important institutions also bear the national research and military projects, these could become the target of outlaws.

With the rapid construction of campus informatization, the education cloud has sprung up, and virtualization has brought security problems: the disappearance of Business network boundaries, the inability of traditional security measures to be deployed, and the doubling of the risk of leaks caused by centralized data storage.

Analysis of database security status

Most of the university campus network system adopts the B/s structure of the virtual way, at the same time adopt the way of cooperating with each other, a large part of students and staff basic data directly put in the network, the application system is easy to be made as a springboard, the use of database vulnerabilities, directly into the database access data.

Intranet, with the expansion of application systems, more and more information systems belong to many developers, third-party maintenance personnel, testers, data administrators, etc. have the opportunity to easily access to business, financial and other core databases.

In the process of using the database, there will be weak password, maintenance account is not cleared, low security configuration, permission allocation is too high, dangerous code and other security risks, while the virtual environment, the new business information system may also appear in the database itself vulnerability or patch is not upgraded.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6F/70/wKioL1Wcykijtv2xAAHpfFhTOuE733.jpg "style=" float: none; "title=" xiaoyuan-1.jpg "alt=" Wkiol1wcykijtv2xaahpffhtoue733.jpg "/>

Therefore, in the campus network Information System, the formation of a number of data leakage and tampering path:

Risk ①: Internet external Hacker SQL injection and database vulnerability attack risk;

Risk ②: Program development and third-party operation and maintenance of data in the external network database in bulk export risk;

Risk ③: Intranet development, operation and maintenance, DBA use the database malicious and misoperation risk;

Risk ④: Production area Database vulnerability and bulk data export risk;

Risk ⑤: The teaching staff application operation and financial, one card settlement operation record is not complete.

Solution Solutions

Strategy 1 : Prevent external Hacker's SQL Injection Attack

After string into the database firewall, it is effective to protect the background database from the complicated network environment, and construct the security protection state of similar intranet. For an attacker to attempt a "brush library" from a background database server using a "SQL injection" approach through a web app, the database firewall has multiple defenses to help you prevent SQL injection from occurring.

First line of defense to open the application identity, only the legitimate application of SQL statements can reach the database through the firewall, other landing tools and applications are unable to access the backend database through the firewall, to ensure that the data from the specified application.

The second line of defense is the fully automatic defensive mode. The system provides a default SQL injection feature library, through the SQL statement injection feature description, to complete the "SQL injection" behavior detection and blocking. Provides a virtual patching function, the network layer outside the database to create a security layer, in the user without patching, complete the database vulnerability protection, for the "extended script" and "buffer overflow" attack characteristics of the SQL statement, the direct interception.

The third line of defense is the manual defense mode. You can manually configure the license suppression model through the database firewall, divide the SQL category by the SQL self-syntax structure, and manually add new SQL injection features through the custom model for effective interception.
Database vulnerability attack prevention and control: Open the Virtual patch configuration policy to protect against database vulnerabilities.

Strategy 2 : Building a trusted Database security access Environment

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6F/73/wKiom1WcyHjDhn5vAACNj8XciAo233.jpg "title=" Xiaoyuan-2.jpg "style=" Float:none; "alt=" wkiom1wcyhjdhn5vaacnj8xciao233.jpg "/>

1) Trusted on the network: After the database firewall is concatenated, hackers cannot directly access the database by bypassing the database firewall.

2) Application Server trusted: Through Ip/mac binding, ensure that only authorized server, device Access database.

Strategy 3 : Effective and safe supervision of database operation and maintenance

For batch export of sensitive data through application backdoor "Brush Library" behavior, first to build the core application behavior model, through the database firewall learning period will be legitimate application of SQL statements all captured, unified into the "white list", to prevent legitimate statements are false, through the semester perfect period, and then switch to the protection period, At this point, if there is a bulk export of sensitive data through the Web Access application backdoor, the database firewall will report "new statement", such statements belong to the "gray list" statement, the security administrator to judge the risk of the statement according to the circumstances, to prevent the bulk export of sensitive information through the backdoor behavior.

The database operation of Campus network is basically legal, but it can not rule out the situation of being exploited or being attacked, accurately record key business operation and related specific business operators through database audit, provide accurate basis for post-retrospective accountability, and alarm the operation of database operations and illegal batch export behavior.

It is recommended to use JTAP related audit to achieve 100% accurate correlation to business users, and to achieve accurate accountability and accountability when problems arise.

Strategy 4 : Adapt to virtualized deployment, can also have database security under the education cloud environment

Taking the database audit system as an example, the database audit server is deployed under the virtual environment by using the technology of virtualization Device management. The core of the internal data stream interception of Database audit server is the network traffic mirroring function through the port provided by the virtual switch. The principle is that the data of the virtual host that accesses the database is mirrored in real time to the listening port of the virtual audit server to realize the data acquisition, which can ensure that the data flow of all Access databases in the network layer is captured accurately and timely, and is analyzed and processed by the database audit products.

This kind of deployment method not only can guarantee the function of the database audit product all normal, but also can guarantee the transparent to the original virtual application platform, have no influence.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/6F/70/wKioL1Wcykjwxn1TAAExtr51rlw914.jpg "title=" Xiaoyuan-3.jpg "style=" Float:none; "alt=" wkiol1wcykjwxn1taaextr51rlw914.jpg "/>

Combining database audit products into a deployment diagram in a virtual environment, ESXi is a physical node that is combined with virtual technology, and under the virtual environment, runs three applications APP1, APP2, APP3, and its corresponding back-end database DB1, DB2, DB3. Dbaudit is a virtual machine that deploys a database audit product, and all devices communicate via the vsphere switch virtual switch.

On the vsphere switch Virtual switch, you can configure Port mirroring so that all network traffic that accesses the database is mirrored to the data acquisition port of the Dbaudit audit server. In the described environment, the Dbaudit Audit server can obtain traffic to access three database virtual machines as long as the configuration port2,port5 and PORT7 data is mirrored to PORT8.

The Dbaudit Audit server works by mirroring Port 8 for data acquisition. At the same time, the virtual device provides external access through Port 9, which can be configured and managed by the user. With VMware VSphere 5 and later, you can implement port mirroring technology for virtual switches. Its port mirroring configuration can be done at the distributed switch level, where traffic sources that need to be monitored and traffic destinations to which traffic is mirrored are identified to create a port mirroring session.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1672023

Database security scheme of campus network