SlideShare uma empresa Scribd logo

Secure PostgreSQL deployment

Command Prompt., Inc
Command Prompt., Inc

Magnus Hagander PostgreSQL supports several options for securing communications when deployed outside the typical webserver/database combination. This talk will go into some details about the features that make this possible, with some extra focus on the changes in 8.4. The main areas discussed are: * Securing the channel between client and server using SSL, including an overview of the threats and how to secure against them * Securing the login process, using LDAP, Kerberos or SSL certificates, including the use of smartcards to log into the database The talk will not focus on security and access control inside the database once the user is connected and authenticated.

1 de 42
Baixar para ler offline
Secure PostgreSQL Deployments JDCon-East 2010 Philadelphia, PA Magnus Hagander Redpill Linpro AB
There's much to security ● Identify the threats ● Apply the correct measures – Don't do things just because you can
Not in this talk ● Application security ● Data Access Control ● Data Encryption ● etc ● etc
Definitely not in this talk ● Unix vs Windows ● Linux vs BSD ● SELinux/SEPostgreSQL ● Any other religion
In this talk! ● Authentication methods ● Connection security
Authentication methods ● How do we determine who the user is ● When do we determine who the user is
pg_hba.conf ● Lets you use different auth methods from different clients ● Not just limited to username/password ● For convenience or security ● Internal or external
pg_hba.conf local all all trust host all all 127.0.0.1/32 trust host webdb webuser 10.0.0.0/24 md5 host all @dba 192.168.0.0/24 gss
Trust Authentication ● Any user can be anyone he/she claims to be!
Trust Authentication ● Any user can be anyone he/she claims to be! ● Anyone think this is a bad idea?
Username/password ● Normally, use md5 method – crypt has been removed, avoid plaintext ● What everybody does ● What everybody expects
LDAP authentication ● To the client, username/password ● Backend verification is off-loaded to directory server ● Common in enterprise deployments ● Password policies, expiry, etc
LDAP authentication ● Single password not single signon PostgreSQL ct Server onne 1. C sw o rd pa s qu est ord 2. Re assw e nd p 3. S Client LDAP Server
LDAP news in 9.0 ● search/bind combination ● Can use non-cn fields in login – Anything that's LDAP searchable – Common choice: uid
RADIUS (new in 9.0) ● Remote Authentication Dial In User Service ● Simple single-packet UDP service ● Original use-case: ISP dialup ● Common for one-time passwords, etc ● Good policy frameworks
Kerberos/GSSAPI/SSPI ● Single signon ● Same benefits as LDAP (mostly) ● Most common: Active Directory ● («krb5» is deprecated)
Kerberos/GSSAPI/SSPI ● Single password not single signon PostgreSQL t Server nt ticke 3. Prese 1. Req u est tic ket Client 2. Ret urn tic KDC ket
PAM ● Provided by OS ● Can do password, LDAP, etc ● Can also do Kerberos & friends ● One-time passwords – RSA SecurID, Vasco, etc – RADIUS (no need in 9.0)
SSL
SSL secured connections ● Encryption ● Man-in-the-middle protection ● Authentication
SSL secured connections ● Enabled on the server (ssl=yes) – Platform quirks! ● Optionally required through pg_hba ● Optionally required in libpq
SSL secured connections ● Need to protect data in both directions ● For example username/password ● Must know before connection is started – Unknown equals unprotected
SSL encryption ● SSL always requires a server certificate ● Can be self-signed ● Does not need to be known by client
Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
Certificate chains Self-signed certificate Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
SSL secured connections Client Server
Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server
Eavesdropping ● Prevented by encrypting all data ● Key negotiation is automatic – On initial connection – After 512Mb traffic ● Server certificate used but not verified
Key renegotiation ● Broken in the SSL protocol – OOPS! ● Fixed SSL libraries are available ● Broken fixes were pushed by vendors ● ssl_renegotiation_limit = 512MB
Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server
SSL server verification ● On top of encryption ● Validate that the server is who it claims to be ● CA issues certificate, can be self- signed ● CA certificate known by client
Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server
SSL client authentication ● On top of encryption ● Normally on top of server verificateion, but not necessary ● CA issued certificate on client ● Match CN on certificate to user id ● Protect client certificate!
SSL client authentication PostgreSQL te Server ertifica esent c 1. Pr Client
SSL client certificates ● Can also be used together with other authentication ● Require client certificate ● Also require e.g. username/password
SSL in libpq ● Controlled by sslmode parameter ● Or environment PGSSLMODE ● For security, must be set on client – Remember, unknown = unsecure
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
Not a bad idea: ipsec ● If already deployed ● Application transparent ● Global policies ● Integrated management ● Somebody Elses Problem?
Secure PostgreSQL Deployments Questions? magnus@hagander.net Twitter: @magnushagander http://blog.hagander.net

Recomendados

PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityRobert Bernier
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Harish S
 
Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with NginxMarian Marinov
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandalDhrubaji Mandal ♛
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINXServer Density
 

Recomendados

PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
PostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityPostgreSQL: Welcome To Total Security
PostgreSQL: Welcome To Total SecurityRobert Bernier
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Nginx - Tips and Tricks.
Nginx - Tips and Tricks.Harish S
 
Load Balancing with Nginx
Load Balancing with NginxLoad Balancing with Nginx
Load Balancing with NginxMarian Marinov
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandalDhrubaji Mandal ♛
 
How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINXServer Density
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance CachingNGINX, Inc.
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsDong Ye
 
Shootout at the AWS Corral
Shootout at the AWS CorralShootout at the AWS Corral
Shootout at the AWS CorralPostgreSQL Experts, Inc.
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBAPostgreSQL Experts, Inc.
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Trygve Vea
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQLTommy Lee
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyLeif Hedstrom
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXKevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLSVarnish Software
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheKevin Jones
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteMarco Tusa
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web serverMd Waresul Islam
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATSChiranjeevi Jaladi
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2SergeyChernyshev
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기PgDay.Seoul
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014EDB
 

Mais conteúdo relacionado

Mais procurados

NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance CachingNGINX, Inc.
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsDong Ye
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Trygve Vea
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQLTommy Lee
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Denish Patel
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyLeif Hedstrom
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXKevin Jones
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheKevin Jones
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteMarco Tusa
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web serverMd Waresul Islam
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2SergeyChernyshev
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 

Mais procurados (20)

NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
NGINX High-performance Caching
NGINX High-performance CachingNGINX High-performance Caching
NGINX High-performance Caching
 
A Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage SystemsA Performance Characterization of Postgres on Different Storage Systems
A Performance Characterization of Postgres on Different Storage Systems
 
Shootout at the AWS Corral
Shootout at the AWS CorralShootout at the AWS Corral
Shootout at the AWS Corral
 
The Accidental DBA
The Accidental DBAThe Accidental DBA
The Accidental DBA
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
 
제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL제3회난공불락 오픈소스 인프라세미나 - MySQL
제3회난공불락 오픈소스 인프라세미나 - MySQL
 
Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2 Deploying postgre sql on amazon ec2
Deploying postgre sql on amazon ec2
 
Usenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a ProxyUsenix LISA 2012 - Choosing a Proxy
Usenix LISA 2012 - Choosing a Proxy
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
 
Using NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content CacheUsing NGINX as an Effective and Highly Available Content Cache
Using NGINX as an Effective and Highly Available Content Cache
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Proxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynoteProxysql ha plam_2016_2_keynote
Proxysql ha plam_2016_2_keynote
 
Introduction to NGINX web server
Introduction to NGINX web serverIntroduction to NGINX web server
Introduction to NGINX web server
 
ReplacingSquidWithATS
ReplacingSquidWithATSReplacingSquidWithATS
ReplacingSquidWithATS
 
Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2Building your own CDN using Amazon EC2
Building your own CDN using Amazon EC2
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 

Destaque

pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기PgDay.Seoul
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014EDB
 
Introduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDIntroduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDPGConf APAC
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJAXLondon_Conference
 
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...Mark Wong
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQLInMobi Technology
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Microservices Past, Present, Future
Microservices Past, Present, FutureMicroservices Past, Present, Future
Microservices Past, Present, FutureDavid Dawson
 
PostgreSQL: Past present Future
PostgreSQL: Past present FuturePostgreSQL: Past present Future
PostgreSQL: Past present FuturePGConf APAC
 
PostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPGConf APAC
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsFuenteovejuna
 
On The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterOn The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterSrihari Sriraman
 
Lightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesLightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesPGConf APAC
 
Lessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tLessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tPGConf APAC
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PGConf APAC
 
How to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollHow to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollPGConf APAC
 
PostgreSQL on Amazon RDS
PostgreSQL on Amazon RDSPostgreSQL on Amazon RDS
PostgreSQL on Amazon RDSPGConf APAC
 
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Lisa Dehner
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentAshnikbiz
 

Destaque (20)

pg_hba.conf 이야기
pg_hba.conf 이야기pg_hba.conf 이야기
pg_hba.conf 이야기
 
Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014Postgres in Production - Best Practices 2014
Postgres in Production - Best Practices 2014
 
Introduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XIDIntroduction to Vacuum Freezing and XID
Introduction to Vacuum Freezing and XID
 
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel UrmaJava Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
Java Generics Past, Present and Future - Richard Warburton, Raoul-Gabriel Urma
 
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
PostgreSQL Portland Performance Practice Project - Database Test 2 Filesystem...
 
24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL24/7 Monitoring and Alerting of PostgreSQL
24/7 Monitoring and Alerting of PostgreSQL
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Microservices Past, Present, Future
Microservices Past, Present, FutureMicroservices Past, Present, Future
Microservices Past, Present, Future
 
PostgreSQL: Past present Future
PostgreSQL: Past present FuturePostgreSQL: Past present Future
PostgreSQL: Past present Future
 
5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance5 Steps to PostgreSQL Performance
5 Steps to PostgreSQL Performance
 
PostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and CapabilitiesPostgreSQL Enterprise Class Features and Capabilities
PostgreSQL Enterprise Class Features and Capabilities
 
Managing replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon RiggsManaging replication of PostgreSQL, Simon Riggs
Managing replication of PostgreSQL, Simon Riggs
 
On The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL ClusterOn The Building Of A PostgreSQL Cluster
On The Building Of A PostgreSQL Cluster
 
Lightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst PracticesLightening Talk - PostgreSQL Worst Practices
Lightening Talk - PostgreSQL Worst Practices
 
Lessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’tLessons PostgreSQL learned from commercial databases, and didn’t
Lessons PostgreSQL learned from commercial databases, and didn’t
 
PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs PostgreSQL WAL for DBAs
PostgreSQL WAL for DBAs
 
How to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'rollHow to teach an elephant to rock'n'roll
How to teach an elephant to rock'n'roll
 
PostgreSQL on Amazon RDS
PostgreSQL on Amazon RDSPostgreSQL on Amazon RDS
PostgreSQL on Amazon RDS
 
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...Past, Present, and Future Analysis of the Architectural & Engineering Design ...
Past, Present, and Future Analysis of the Architectural & Engineering Design ...
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres DeploymentPgDay Asia 2016 - Security Best Practices for your Postgres Deployment
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
 

Semelhante a Secure PostgreSQL deployment

Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network trafficDaniël van Eeden
 
RedisConf17 - Operationalizing Redis at Scale
RedisConf17 - Operationalizing Redis at ScaleRedisConf17 - Operationalizing Redis at Scale
RedisConf17 - Operationalizing Redis at ScaleRedis Labs
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Using MCollective with Chef - cfgmgmtcamp.eu 2014
Using MCollective with Chef - cfgmgmtcamp.eu 2014Using MCollective with Chef - cfgmgmtcamp.eu 2014
Using MCollective with Chef - cfgmgmtcamp.eu 2014Zachary Stevens
 
NetScaler and advanced networking in cloudstack
NetScaler and advanced networking in cloudstackNetScaler and advanced networking in cloudstack
NetScaler and advanced networking in cloudstackDeepak Garg
 

Semelhante a Secure PostgreSQL deployment (20)

Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network traffic
 
RedisConf17 - Operationalizing Redis at Scale
RedisConf17 - Operationalizing Redis at ScaleRedisConf17 - Operationalizing Redis at Scale
RedisConf17 - Operationalizing Redis at Scale
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right Way
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
 
Web security 101
Web security 101Web security 101
Web security 101
 
Websec
WebsecWebsec
Websec
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
 
Using MCollective with Chef - cfgmgmtcamp.eu 2014
Using MCollective with Chef - cfgmgmtcamp.eu 2014Using MCollective with Chef - cfgmgmtcamp.eu 2014
Using MCollective with Chef - cfgmgmtcamp.eu 2014
 
ssl
sslssl
ssl
 
NetScaler and advanced networking in cloudstack
NetScaler and advanced networking in cloudstackNetScaler and advanced networking in cloudstack
NetScaler and advanced networking in cloudstack
 

Mais de Command Prompt., Inc

Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableCommand Prompt., Inc
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL AdministrationCommand Prompt., Inc
 
Replication using PostgreSQL Replicator
Replication using PostgreSQL ReplicatorReplication using PostgreSQL Replicator
Replication using PostgreSQL ReplicatorCommand Prompt., Inc
 
Python utilities for data presentation
Python utilities for data presentationPython utilities for data presentation
Python utilities for data presentationCommand Prompt., Inc
 
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...Command Prompt., Inc
 
pg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQLpg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQLCommand Prompt., Inc
 
Not Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index ConstraintsNot Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index ConstraintsCommand Prompt., Inc
 
Implementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with TungstenImplementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with TungstenCommand Prompt., Inc
 
Elephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forksElephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forksCommand Prompt., Inc
 
configuring a warm standby, the easy way
configuring a warm standby, the easy wayconfiguring a warm standby, the easy way
configuring a warm standby, the easy wayCommand Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2Command Prompt., Inc
 
Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1Command Prompt., Inc
 
Integrating PostGIS in Web Applications
Integrating PostGIS in Web ApplicationsIntegrating PostGIS in Web Applications
Integrating PostGIS in Web ApplicationsCommand Prompt., Inc
 

Mais de Command Prompt., Inc (20)

Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and ExceptableHowdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
Howdah - An Application using Pylons, PostgreSQL, Simpycity and Exceptable
 
Backup and-recovery2
Backup and-recovery2Backup and-recovery2
Backup and-recovery2
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
Temporal Data
Temporal DataTemporal Data
Temporal Data
 
Replication using PostgreSQL Replicator
Replication using PostgreSQL ReplicatorReplication using PostgreSQL Replicator
Replication using PostgreSQL Replicator
 
Go replicator
Go replicatorGo replicator
Go replicator
 
Pg migrator
Pg migratorPg migrator
Pg migrator
 
Python utilities for data presentation
Python utilities for data presentationPython utilities for data presentation
Python utilities for data presentation
 
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
PostgreSQL, Extensible to the Nth Degree: Functions, Languages, Types, Rules,...
 
pg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQLpg_proctab: Accessing System Stats in PostgreSQL
pg_proctab: Accessing System Stats in PostgreSQL
 
Not Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index ConstraintsNot Just UNIQUE: Generalized Index Constraints
Not Just UNIQUE: Generalized Index Constraints
 
Implementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with TungstenImplementing the Future of PostgreSQL Clustering with Tungsten
Implementing the Future of PostgreSQL Clustering with Tungsten
 
Elephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forksElephant Roads: a tour of Postgres forks
Elephant Roads: a tour of Postgres forks
 
configuring a warm standby, the easy way
configuring a warm standby, the easy wayconfiguring a warm standby, the easy way
configuring a warm standby, the easy way
 
Bucardo
BucardoBucardo
Bucardo
 
Basic Query Tuning Primer
Basic Query Tuning PrimerBasic Query Tuning Primer
Basic Query Tuning Primer
 
A Practical Multi-Tenant Cluster
A Practical Multi-Tenant ClusterA Practical Multi-Tenant Cluster
A Practical Multi-Tenant Cluster
 
Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2Normalization: A Workshop for Everybody Pt. 2
Normalization: A Workshop for Everybody Pt. 2
 
Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1Normalization: A Workshop for Everybody Pt. 1
Normalization: A Workshop for Everybody Pt. 1
 
Integrating PostGIS in Web Applications
Integrating PostGIS in Web ApplicationsIntegrating PostGIS in Web Applications
Integrating PostGIS in Web Applications
 

Secure PostgreSQL deployment

  • 1. Secure PostgreSQL Deployments JDCon-East 2010 Philadelphia, PA Magnus Hagander Redpill Linpro AB
  • 2. There's much to security ● Identify the threats ● Apply the correct measures – Don't do things just because you can
  • 3. Not in this talk ● Application security ● Data Access Control ● Data Encryption ● etc ● etc
  • 4. Definitely not in this talk ● Unix vs Windows ● Linux vs BSD ● SELinux/SEPostgreSQL ● Any other religion
  • 5. In this talk! ● Authentication methods ● Connection security
  • 6. Authentication methods ● How do we determine who the user is ● When do we determine who the user is
  • 7. pg_hba.conf ● Lets you use different auth methods from different clients ● Not just limited to username/password ● For convenience or security ● Internal or external
  • 8. pg_hba.conf local all all trust host all all 127.0.0.1/32 trust host webdb webuser 10.0.0.0/24 md5 host all @dba 192.168.0.0/24 gss
  • 9. Trust Authentication ● Any user can be anyone he/she claims to be!
  • 10. Trust Authentication ● Any user can be anyone he/she claims to be! ● Anyone think this is a bad idea?
  • 11. Username/password ● Normally, use md5 method – crypt has been removed, avoid plaintext ● What everybody does ● What everybody expects
  • 12. LDAP authentication ● To the client, username/password ● Backend verification is off-loaded to directory server ● Common in enterprise deployments ● Password policies, expiry, etc
  • 13. LDAP authentication ● Single password not single signon PostgreSQL ct Server onne 1. C sw o rd pa s qu est ord 2. Re assw e nd p 3. S Client LDAP Server
  • 14. LDAP news in 9.0 ● search/bind combination ● Can use non-cn fields in login – Anything that's LDAP searchable – Common choice: uid
  • 15. RADIUS (new in 9.0) ● Remote Authentication Dial In User Service ● Simple single-packet UDP service ● Original use-case: ISP dialup ● Common for one-time passwords, etc ● Good policy frameworks
  • 16. Kerberos/GSSAPI/SSPI ● Single signon ● Same benefits as LDAP (mostly) ● Most common: Active Directory ● («krb5» is deprecated)
  • 17. Kerberos/GSSAPI/SSPI ● Single password not single signon PostgreSQL t Server nt ticke 3. Prese 1. Req u est tic ket Client 2. Ret urn tic KDC ket
  • 18. PAM ● Provided by OS ● Can do password, LDAP, etc ● Can also do Kerberos & friends ● One-time passwords – RSA SecurID, Vasco, etc – RADIUS (no need in 9.0)
  • 19. SSL
  • 20. SSL secured connections ● Encryption ● Man-in-the-middle protection ● Authentication
  • 21. SSL secured connections ● Enabled on the server (ssl=yes) – Platform quirks! ● Optionally required through pg_hba ● Optionally required in libpq
  • 22. SSL secured connections ● Need to protect data in both directions ● For example username/password ● Must know before connection is started – Unknown equals unprotected
  • 23. SSL encryption ● SSL always requires a server certificate ● Can be self-signed ● Does not need to be known by client
  • 24. Certificate chains Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
  • 25. Certificate chains Self-signed certificate Issuer Root certificate Issuer Intermediate certificate Issuer Server certificate
  • 27. Threats handled by SSL: Eavesdropping SELECT * FROM secret_stuff Client Server
  • 28. Eavesdropping ● Prevented by encrypting all data ● Key negotiation is automatic – On initial connection – After 512Mb traffic ● Server certificate used but not verified
  • 29. Key renegotiation ● Broken in the SSL protocol – OOPS! ● Fixed SSL libraries are available ● Broken fixes were pushed by vendors ● ssl_renegotiation_limit = 512MB
  • 30. Threats handled by SSL: Man in the middle Valid SSL session Valid SSL session Fake server Client Server
  • 31. SSL server verification ● On top of encryption ● Validate that the server is who it claims to be ● CA issues certificate, can be self- signed ● CA certificate known by client
  • 32. Threats handled by SSL: Man in the middle Valid SSL session Fake server Client Server
  • 33. SSL client authentication ● On top of encryption ● Normally on top of server verificateion, but not necessary ● CA issued certificate on client ● Match CN on certificate to user id ● Protect client certificate!
  • 34. SSL client authentication PostgreSQL te Server ertifica esent c 1. Pr Client
  • 35. SSL client certificates ● Can also be used together with other authentication ● Require client certificate ● Also require e.g. username/password
  • 36. SSL in libpq ● Controlled by sslmode parameter ● Or environment PGSSLMODE ● For security, must be set on client – Remember, unknown = unsecure
  • 37. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 38. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 39. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 40. Summary of libpq SSL modes Compatible with server set Protect against Performance to... Client Eavesdrop MITM SSL required SSL disabled overhead Mode disable no no FAIL works no allow no no works works If necessary prefer no no works works If possible require yes no works FAIL yes verify-ca yes yes works FAIL yes verify-full yes yes works FAIL yes
  • 41. Not a bad idea: ipsec ● If already deployed ● Application transparent ● Global policies ● Integrated management ● Somebody Elses Problem?
  • 42. Secure PostgreSQL Deployments Questions? magnus@hagander.net Twitter: @magnushagander http://blog.hagander.net