Overview of database system security technical framework

Author: Lin Yusheng Cao Lei Zhang yaoyun Article Source: Shanghai computer user Association

1. Preface

With the rapid development of computer technology, the database has been widely used in various fields, but data security issues have emerged. Security issues of a large amount of data in databases of various application systems, as well as theft and tampering prevention of sensitive data have attracted more and more attention. As a collection of information, a database system is the core component of a computer information system. Its security is critical to the rise and fall of enterprises and national security. Therefore, how to effectively ensure the security of database systems and ensure the confidentiality, integrity, and effectiveness of data has become one of the most important topics for researchers in the industry, this article briefly discusses the anti-intrusion technology.

In addition to the internal security mechanisms, the security of the database system is closely related to factors such as the external network environment, application environment, and the quality of employees. Therefore, in a broad sense, the security framework of the database system can be divided into three layers:

(1) network system level;

(2) host operating system level;

(3) database management system level.

These three layers form a database system security system, which is closely related to data security. The importance of prevention is also enhanced layer by layer to ensure data security from the outside to the inside, from the table to the inside. Next we will discuss the three layers of the security framework.

2. Network System Level Security Technology

Broadly speaking, database security first depends on network systems. With the development and popularization of Internet, more and more companies transfer their core services to the Internet. Various Network-based database application systems have sprung up to provide various information services for network users. It can be said that the network system is the external environment and basis of database applications. to exert its powerful role, the support of the network system is indispensable. Users of the database system (such as remote users and distributed Users) you must also access the database data through the network. Network system security is the first barrier for database security. External intrusion begins with network system intrusion. Network intrusion attempts to undermine the integrity, confidentiality, or a set of trusted network activities of information systems. It has the following features:

A) without restrictions on regions and time, cross-border attacks are just as convenient as on-site attacks;

B) network-based attacks are often mixed in a large number of normal network activities, with high concealment;

C) intrusion means are more concealed and complex.

The open environment of computer network systems faces the following threats: a) Masquerade; B) resend (Replay); c) message Modification (Modification of message); d) denial of service (Deny); e) Trapdoor; f) Trojan horse; g) attacks such as Tunneling Attack and application software attacks. These security threats are always and ubiquitous. Therefore, effective measures must be taken to ensure system security.

From a technical point of view, there are many security technologies at the network system level, which can be divided into firewall, intrusion detection, and collaborative intrusion detection technologies.

(1) firewall. Firewall is the most widely used defense technology. As the first line of defense of the system, the main function of the system is to monitor access channels between a trusted network and an untrusted network, which can form a protection barrier between the internal network and the external network, intercept illegal access from the outside and prevent internal information leakage, but it cannot block illegal operations from inside the network. It determines whether to intercept inbound and outbound Information Based on preset rules, but it cannot dynamically identify or adapt to the rules. Therefore, its intelligence is limited. There are three main firewall technologies: packet filter, proxy, and stateful inspection ). Modern firewall products generally use these technologies together.

(2) intrusion detection. Intrusion Detection System (IDS) is a protection technology developed in recent years, using statistical technology, rule method, network communication technology, artificial intelligence, cryptography, reasoning, and other technologies and methods, it monitors network and computer systems for signs of intrusion or misuse. In 1987, Derothy Denning proposed for the first time the idea of detecting intrusions. After continuous development and improvement, Derothy Denning was used as a standard solution to monitor and identify attacks, the IDS system has become an important part of the security defense system.

Intrusion detection uses three types of analysis technologies: Signature, statistics, and data integrity analysis.

① Signature analysis method. It is mainly used to monitor attacks against known vulnerabilities of the system. People sum up their signatures in the attack mode and write them into the IDS system code. Signature Analysis is actually a template matching operation.

② Statistical analysis. Based on statistics, the system determines whether an action has deviated from the normal track based on the observed action pattern in normal use.

③ Data integrity analysis. Based on cryptography, it can verify whether a file or object has been modified by others.

IDS include network-based and Host-Based Intrusion monitoring systems, feature-based and Abnormal Intrusion monitoring systems, real-time and non-real-time intrusion monitoring systems.

(3) collaborative intrusion Monitoring Technology

The independent intrusion monitoring system cannot effectively monitor and respond to a wide range of intrusion activities. In order to make up for the lack of independent operation, people have proposed the idea of a collaborative intrusion monitoring system. In a collaborative intrusion monitoring system, IDS automatically exchanges information between intrusion monitoring components based on a unified specification, and effectively monitors intrusion through information exchange, it can be applied to different network environments.

3. host operating system level Security Technology

The operating system is the operating platform of a large database system, providing a certain degree of security protection for the database system. Currently, most operating system platforms are Windows NT and Unix, and the security level is usually C1 and C2. The main security technologies include operating system security policies, security management policies, and data security.

The operating system security policy is used to configure the security settings of the local computer, including password policy, account lock policy, Audit Policy, IP Security Policy, user permission assignment, data encryption recovery proxy, and other security options [7]. The details can be reflected in the user account, password, access permission, audit, and other aspects.

User Account: the "ID card" used by the user to access the system. Only valid users have an account.

Password: the user's password provides a verification for the user to access the system.

Access permission: Specifies the user's permissions.

Audit: tracks and records user behaviors, so that the system administrator can analyze system access conditions and trace user behavior afterwards.

Security management policies refer to the methods and policies adopted by network administrators to manage system security. Security management policies for different operating systems and network environments are generally different. The core of security management policies is to ensure server security and assign permissions to various users.

Data security mainly includes the following aspects: Data encryption technology, data backup, data storage security, and data transmission security. There are many technologies available, including Kerberos authentication, IPSec, SSL, TLS, VPN (PPTP, L2TP) and other technologies.

4. Database Management System-level security technology

The security of the database system depends largely on the database management system. If the security mechanism of the database management system is very powerful, the security performance of the database system will be better. Currently, relational database management systems are popular in the market, and their security functions are weak, which leads to some threats to the security of database systems.

Because the database systems are all managed in the form of files in the operating system, intruders can directly use the vulnerabilities of the operating system to steal database files, alternatively, you can use the OS tool to illegally forge or tamper with the contents of database files. This vulnerability is hard to detect by database users. Analysis and blocking of this vulnerability are considered B2-level security technical measures.

The layer security technology of the database management system is mainly used to solve this problem, that is, the security of the database data can still be guaranteed when the current two layers have been broken through, this requires a strong security mechanism for the database management system. One of the effective ways to solve this problem is that the database management system encrypts the database files so that even if the data is unfortunately leaked or lost, it is difficult to be decrypted and read.

We can consider how to encrypt database data at three different layers: the OS layer, the DBMS kernel layer, and the DBMS outer layer.

(1) encryption at the OS layer. On the OS layer, the Data Relationship in database files cannot be identified, and a reasonable key cannot be generated. Therefore, it is difficult to manage and use the key reasonably. Therefore, it is difficult to encrypt database files on the OS layer for large databases.

(2) implement encryption at the DBMS kernel layer. This type of encryption performs data encryption/Decryption before physical access. The advantage of this encryption method is that the encryption function is powerful, and the encryption function almost does not affect the DBMS function. It can achieve seamless coupling between the encryption function and the database management system. The disadvantage is that encryption is performed on the server, which increases the load on the server, and the interfaces between the DBMS and the encryptor need the support of the DBMS developer.

Tools defining encryption requirements

DBMS

Database Application System

Encryptor

(Software or hardware)

(3) implement encryption at the outer layer of the DBMS. The actual practice is to make the database encryption system an external tool of the DBMS, and automatically complete the encryption/de-password processing of the database data according to the encryption requirements:

Define encryption requirements tool encryptor

(Software or hardware)

DBMS

Database Application System

This encryption method is used for encryption. The encryption/de-encryption operation can be performed on the client. It does not increase the load on the database server and can implement encryption for online transmission, the disadvantage is that the encryption function is limited, and the coupling with the database management system is slightly poor.

Next we will further explain the principle of implementing the encryption function at the outer layer of the DBMS:

The database encryption system is divided into two main parts with independent functions: one is the encryption dictionary Management Program, and the other is the database encryption/de-Password engine. The database encryption system stores the user's specific encryption requirements for database information and basic information in the encryption dictionary, you can call the data encryption/Decryption engine to encrypt, decrypt, and convert database tables. Database Information Encryption/decryption is completed in the background and transparent to the database server.

Encryption dictionary management program

Encryption System

Applications

Database Encryption and de-Password Engine

Database Server

Encryption dictionary

User Data

The database encryption system implemented in the preceding method has many advantages: first, the system is completely transparent to the end users of the database, and the administrator can convert plaintext and ciphertext as needed. Second, the encryption system is completely independent of the database application system. Data Encryption can be implemented without modifying the database application system. Third, encryption and decryption are performed on the client without affecting the efficiency of the database server.

The database addition/Decryption engine is a database Addition